IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Mark Andrews <marka@isc.org> Wed, 01 May 2024 00:47 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6D7C14F74A for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 17:47:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="m5x7X7j3"; dkim=pass (1024-bit key) header.d=isc.org header.b="n9FQvqmY"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hElPlIDG8YQr for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 17:47:38 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BC7FC14F61A for <dnsop@ietf.org>; Tue, 30 Apr 2024 17:47:37 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id F39053AB222 for <dnsop@ietf.org>; Wed, 01 May 2024 00:47:36 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org F39053AB222
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714524457; cv=none; b=PknW+PfXzPjg+7Qn/IGjFvSpCz8YGVF2+r5W5lEmBMIG4mnpoIzFaLZzPHWHf9Oxx2kN8qxkI/15jnVXB/6BUTXoPOSdOFHAf4f6zL4SHcoaVgO9uCb3QA9ispuW8rpjuN0eoGXvoBvg98gwWanzKMiLAe+sQ0oz2h6D5T0wP48=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714524457; c=relaxed/relaxed; bh=JgjUqmig+LLOzNj4LkXqiQ7Wcn3869ystCdFgc2t6DM=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date:To: Message-Id; b=EJpp+DRhkkaf14f5WXORy/u3fZG+1oHoPS0Wrmjh3fLh2iKyaPjglVHLVT6YTmtf87jN9jDNvSMH4mcC2PuOA56sv/bmCXGo+rbWZwItNuzEagVF/+BZjXQ/djslnon63Jpc6f5UpU2TsMULKF68eWaueWO14yBXQ+bXPnTV610=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org F39053AB222
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1714524457; bh=iNUKZiFzcYfpULe9QM6ZWXulpAZ6+0eoEdyerptyQMY=; h=From:Subject:Date:References:To:In-Reply-To; b=m5x7X7j3iudH0rhyGv0Q0JG4ZLyfL9rI4qMWNZOAGG+tFBhVqrGPctIJlLVGCe52X g79no2alSaqbSZnD+oBjPLXm/88R/KblRfUa/rm8m11Z8agXAbGh15NTDm1flM23im Btm4m1/YyR/1jaIwJLZLNixb+jPWPjKlp/9WrLCc=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id EF5F41129E32 for <dnsop@ietf.org>; Wed, 1 May 2024 00:47:36 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id CDEDF1129E40 for <dnsop@ietf.org>; Wed, 1 May 2024 00:47:36 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org CDEDF1129E40
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1714524456; bh=JgjUqmig+LLOzNj4LkXqiQ7Wcn3869ystCdFgc2t6DM=; h=From:Mime-Version:Date:To:Message-Id; b=n9FQvqmYonTDjiJcJHKtXy79M78p94XSnyKWwgzRJ0xxppxNUv9iO9w7BtXb5f1J2 BkbyFlvFAkSEsBLaXSx8vp7FnjDkYjV/rXCamSIEGbyVMid8YFAvaoElO0hw71R77O sZG9wZUHutMUvf2V8JROYhY36P0ysRBCnosVBJAA=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id lqbMimX1DS06 for <dnsop@ietf.org>; Wed, 1 May 2024 00:47:36 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 6B0B31129E32 for <dnsop@ietf.org>; Wed, 1 May 2024 00:47:36 +0000 (UTC)
From: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
Date: Wed, 01 May 2024 10:47:31 +1000
References: <CADyWQ+F7mm2duU7N9F=5NadorX4xzUCjaZbNVHBU=NC2HGJr6g@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <CADyWQ+F7mm2duU7N9F=5NadorX4xzUCjaZbNVHBU=NC2HGJr6g@mail.gmail.com>
Message-Id: <168FA998-2216-409E-AD8A-ACC4E05324F7@isc.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XiZBVA-I0Wutbn6BsB_2QDk44mg>
Subject: Re: [DNSOP] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2024 00:47:42 -0000

If we go ahead with this these two sentences

                                    Validating resolvers MUST treat
RRSIG records created from DNSKEY records using these algorithms as
insecure. If no other RRSIG records of accepted cryptographic
algorithms are available, the validating resolver MUST consider the
associated resource records as Bogus.

need to be replaced with

                                    Validating resolvers MUST treat
RRSIG records created from DNSKEY records using these algorithms as an
unsupported algorithm. If no other RRSIG records of accepted cryptographic
algorithms are available, the validating resolver MUST consider the
associated resource records as Insecure.


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.34.0 | Report a Bug | By Email | System Status