Re: [DNSOP] [Ext] More private algorithms for DNSSEC
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Thu, 24 March 2022 11:49 UTC
Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE1A83A10DF for <dnsop@ietfa.amsl.com>; Thu, 24 Mar 2022 04:49:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlqJBz4u3zdx for <dnsop@ietfa.amsl.com>; Thu, 24 Mar 2022 04:49:08 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83FF03A10B2 for <dnsop@ietf.org>; Thu, 24 Mar 2022 04:49:07 -0700 (PDT)
Received: from [IPV6:2001:1488:fffe:6:234c:609c:5d0b:7fef] (unknown [IPv6:2001:1488:fffe:6:234c:609c:5d0b:7fef]) by mail.nic.cz (Postfix) with ESMTPSA id F3902140544; Thu, 24 Mar 2022 12:49:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1648122545; bh=WvopCh6mST7l5Puy8FbKRpUVc2l9CYNHh1YvcpFDpmY=; h=Date:To:From; b=XO6He76J0FlHXJjpNH08ytasQFxAXkMcUL6wblS/afVq3KwxcB2LVUC4e+dgiEKFL zKKKv+3wBzFFu9/QjY1VtwNkQ83tGT4PraCjJsH4SlTSXw5JsWO24NbqhzrVcrTgww WyekfCqE/R0FV/Prx+dI/QoV+xWI0fr5f1T5cEZs=
Message-ID: <dfb33eeb-a2e0-d40a-8433-a9f0f4a305f8@nic.cz>
Date: Thu, 24 Mar 2022 12:49:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: dnsop WG <dnsop@ietf.org>
Cc: Nils Wisiol <nils@desec.io>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com> <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org> <90ca44a8ac157d6545258795508b624f9802e44c.camel@desec.io>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <90ca44a8ac157d6545258795508b624f9802e44c.camel@desec.io>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.103.4 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YN_fCfTVA65zIRydOBcWc-JHS4Q>
Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 11:49:14 -0000
On 22/03/2022 09.56, Nils Wisiol wrote: > There was some internal discussion about using 17 vs 253, with the main > argument for 253 being that this is the intended use case for 253 and > the main argument for 17 being that worry that some resolver > implementations could have special treatment for private algorithm > numbers. 17 seems a little risky in the sense that it might get officially allocated in the next couple of years, even if you don't care about colliding with other experiments. Knot Resolver does not have any special-casing here, I believe. Anything above 16 should always be unsupported algorithm, so downgraded to insecure (if no other supported combination is in the DS set). --Vladimir | knot-resolver.cz
- [DNSOP] More private algorithms for DNSSEC Paul Hoffman
- Re: [DNSOP] More private algorithms for DNSSEC Paul Wouters
- Re: [DNSOP] More private algorithms for DNSSEC Wessels, Duane
- Re: [DNSOP] [Ext] More private algorithms for DNS… Paul Hoffman
- Re: [DNSOP] [Ext] More private algorithms for DNS… Nils Wisiol
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Peter van Dijk
- Re: [DNSOP] More private algorithms for DNSSEC Petr Špaček
- Re: [DNSOP] More private algorithms for DNSSEC Nils Wisiol
- Re: [DNSOP] [Ext] More private algorithms for DNS… Vladimír Čunát
- Re: [DNSOP] More private algorithms for DNSSEC Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Nils Wisiol
- Re: [DNSOP] More private algorithms for DNSSEC Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Paul Hoffman
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Peter Thomassen
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Brian Dickson
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Blacka, David
- Re: [DNSOP] More private algorithms for DNSSEC Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Nils Wisiol