IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Mark Andrews <marka@isc.org> Wed, 24 February 2021 21:44 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A7123A1C74 for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 13:44:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=qEZ47Dem; dkim=pass (1024-bit key) header.d=isc.org header.b=pB56zrNl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3c9682t1CEbB for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 13:44:16 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EE923A1C53 for <dnsop@ietf.org>; Wed, 24 Feb 2021 13:44:14 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 9FD283AB025; Wed, 24 Feb 2021 21:44:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1614203053; bh=88iGIjso4Y6594hXtqQbZsEymOJ0j4AJC1g3Oq85sD4=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=qEZ47DemJzi8gorxquEZwWeV2A4zldur4gj7t5FHQ7qRk6xzxrZLvDk43fe4XWmgd DpsIMjkzCkjIhvzrQZsniWAA9H+3Gso3iIbAnA/8OHHKGmfTX6GaknvBuHGvF3muKW UYACnxgLSaUpAl85Cs/npAV+upYUNnd33qao8aGU=
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 8FF3116005D; Wed, 24 Feb 2021 21:44:13 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 736B416009E; Wed, 24 Feb 2021 21:44:13 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org 736B416009E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1614203053; bh=Qq9RxF/n6XelF/KKhUVfmGYpEQMtGLDWRAEDjVrPAsI=; h=Content-Type:Mime-Version:Subject:From:Date: Content-Transfer-Encoding:Message-Id:To; b=pB56zrNlRDXiksuJsHImfp2x+6lx4n8bKoibT+C6Xq2okTs5oIUzIWGjCL7t/SpMW snaQV77uh1M2Df6DhK2X6bKt5o2PQgk+zdA0JQD+QsX992EkhvgsKxD65475q2NhYw mTlH6zDz9hE1OwLgUWiMqisZpVUFKvHy3Yh+HtPE=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 2v10Wds_ZDEr; Wed, 24 Feb 2021 21:44:13 +0000 (UTC)
Received: from [172.30.42.67] (n114-75-173-184.bla4.nsw.optusnet.com.au [114.75.173.184]) by zmx1.isc.org (Postfix) with ESMTPSA id 2E00616005D; Wed, 24 Feb 2021 21:44:12 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se>
Date: Thu, 25 Feb 2021 08:44:09 +1100
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, Samuel Weiler <weiler@watson.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <57BA9FA0-C16D-4178-B4A8-C9D9B174AC82@isc.org>
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com> <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se>
To: Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XiWdzn_Ul7xdFe4qI2RVtHTT4Fo>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 21:44:25 -0000


> On 25 Feb 2021, at 02:01, Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org> wrote:
> 
>> 
>> On 23 Feb 2021, at 17:49, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
>> 
>> 
>> 
>> On Tue, Feb 23, 2021 at 11:21 AM Samuel Weiler <weiler@watson.org> wrote:
>> ...
>> Recognizing that I'm likely biased by my history of working on the 
>> current "mandatory algorithm rules", I don't buy the need for this 
>> complexity.  In practice our "weak" algorithms aren't _that_ weak. 
>> And, if they are, we might as well stop signing with them entirely.
>> 
>> I think that was true for a long time, but I'm not sure it's still true, or will stay true.  I'm particularly motivated by the ongoing discussion about adding Algorithms to the registry [1], and a recent overview of Post-Quantum cryptography for DNSSEC [2].  Also, 829-bit RSA was factored last year [3].  Validator update timelines are Very Slow, so we should be thinking about adding features we might need before we need them.
>> 
>> Even if we are currently in a state where zone owners feel like they have simple, safe choices, I don't think we should assume that this will remain true indefinitely.
>> 
>> This seems like unnecessary further loading of the camel.
>> 
>> FWIW, my preference would be to simply remove the lax-validation rule from RFC 6840, which would simplify the standard overall ... but there must have been a good reason for it.  Strict Mode might be a stepping-stone in that direction.
> 
> Not only am I in favor of the RFC6840 lax validation, it is in fact necessary for secure DNSSEC operation.
> In fact I believe the RFC 4035 needs to be updated to explicitly allow algorithms without signatures.
> At the current state of dnssec RFC definitions it is unclear how you could change DNS operators securely if these operators do not sign the zone with the same algorithm.

You can’t do that as the logic doesn’t allow it.  Perform algorithm roles to and from mandatory to implement algorithms before and after the move if necessary.

>> Ben, if you decide to persist with this idea, I've filed some issues 
>> in your GH repo.
>> 
>> Thanks! 
>> 
>> [1] https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dnssec-iana-cons-00
>> [2] https://indico.dns-oarc.net/event/37/contributions/811/
>> [3] https://en.wikipedia.org/wiki/RSA_numbers#RSA-250
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email