Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Ólafur Guðmundsson <olafur@cloudflare.com> Thu, 20 July 2017 09:08 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D02F5131566 for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 02:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnRgQoDV7cMp for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 02:08:37 -0700 (PDT)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A74BE12ECF0 for <dnsop@ietf.org>; Thu, 20 Jul 2017 02:08:37 -0700 (PDT)
Received: by mail-qt0-x233.google.com with SMTP id o8so16461061qtc.5 for <dnsop@ietf.org>; Thu, 20 Jul 2017 02:08:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uB+4LHfBLzmps+Fh8q7FmwufKJGkw+xJLghPRLr83ig=; b=wDP6sRKJgS7MD1vps5C+U6uY/ggfXDzVPN1eMLv4yrd0/K8Ds+6n7JErUfAleIxc+s 15LIC3Ib/4oirA0IBmS1lrNQHb2Y7qObG/nOxvMf6dEzD2dM0DdmxawB7VC7m5g5AcjD NKsua1DN1b8N5JO3h0QSCUjE4e5SDAqqRLefc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uB+4LHfBLzmps+Fh8q7FmwufKJGkw+xJLghPRLr83ig=; b=QDedaBiLrItHp/qqHFeZ8pYRIHSdqMMK1jKYk7WUiR9qI5WNKKbs8Fd9O3eFnp4J2T oiLJOwDsb0ZZKkBWaJRI+X4+r4SKC4bCFGgKcOijAELRh2pOkHIAiosVZ7uZIcmXziji Frgbfszi/DgszdOxMFvlpplOEvTtpUzcbUnIh6LylrsAUMI9CuO2xlOVsVtaKSBFlqKf 8O6ySbC4rF5UgIl/OjgV5vOLF6IW5pgU83eaDDedUZQRO/8f45XnO/LqkLdksjfFhg0s I5cG6HY09hAexU332ucJwfgDo6UYV2PUFTRib6fFq1t07/OPtiv5ZmDYxdcOaL1KoNbz Z+Fw==
X-Gm-Message-State: AIVw113ZhfeARv8DdAN+M2I9CLqBncA+F+I1+FoiMKOX/5LgIZJ4V+5y haoBMs9113UbPUbryis6cG7ZJZeu1mlf
X-Received: by 10.237.36.6 with SMTP id r6mr4068377qtc.159.1500541715728; Thu, 20 Jul 2017 02:08:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.88.228 with HTTP; Thu, 20 Jul 2017 02:08:35 -0700 (PDT)
In-Reply-To: <CAHPuVdVGn0p9g5c-kXwmy_N2WtrGxDhcEG2mkxWyvh5XVTcMoQ@mail.gmail.com>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <CAN6NTqwB8b1aFsZg=LnaLWLrhLDe9-N3CVPO=qcHWXZTqSettg@mail.gmail.com> <CAHPuVdVGn0p9g5c-kXwmy_N2WtrGxDhcEG2mkxWyvh5XVTcMoQ@mail.gmail.com>
From: =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= <olafur@cloudflare.com>
Date: Thu, 20 Jul 2017 11:08:35 +0200
Message-ID: <CAN6NTqx=hrO1KAaHJY7+BZehAWgWSPDTgSEMW1duMC7CZju28w@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113bbf52efe6290554bc17c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YVAJmwNVKTyHF7XZvDAKkHLXhEo>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 09:08:39 -0000

On Thu, Jul 20, 2017 at 10:45 AM, Shumon Huque <shuque@gmail.com> wrote:

> On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson <
> olafur@cloudflare.com> wrote:
>>
>>
>> I disagree, if a zone operator selects "less-than" common algorithm they
>> do that at their own risk,
>> if the risk is not acceptable then it should dual sign....
>>
>
> Yes. The point I was trying to make is that DANE sites (and probably
> others if they care about security) cannot afford to fail open. So they
> have to dual sign if they can stomach the costs, or delay deploying new
> algorithms for a long time. This draft is intended to (eventually) make the
> dual signing case easier to deal with operationally.
>


The point I'm making is that the proposed medicine is worse than the
ailment.

Olafur