Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Shumon Huque <shuque@gmail.com> Mon, 10 July 2017 23:51 UTC

MIME-Version: 1.0
In-Reply-To: <20170710224102.EDB357E3CB92@rock.dv.isc.org>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com> <CAHPuVdVWi-4nQeoBuyKe7f81mieVpznFwd25Nb5at6t-JpYzUA@mail.gmail.com> <CAHPuVdUnUhfVtvgBWbyXD1fWjz04QMKp59Ar1HNonmAkJeLj6A@mail.gmail.com> <alpine.LRH.2.21.1707101641220.31889@bofh.nohats.ca> <CAHPuVdVFyFrXxmpJg-hO0Wv_SD9FMpzYZjWtGFZeZA-9hFQaiA@mail.gmail.com> <20170710224102.EDB357E3CB92@rock.dv.isc.org>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 10 Jul 2017 19:51:01 -0400
Message-ID: <CAHPuVdWZ3hHwErTSKrQf5YLJJyLAzwSN1_BgApwSMVxJvttiXw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Paul Wouters <paul@nohats.ca>, Bob Harold <rharolde@umich.edu>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0949e865ee600553ff410c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Y_lLdadfNDg878hDsQf1d579jnw>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
Precedence: list

On Mon, Jul 10, 2017 at 6:41 PM, Mark Andrews <marka@isc.org> wrote:
>
>
> > I also don't want to deploy only Ed448 and cause my zone to be instantly
> > treated as unsigned by the vast majority of resolvers. Obviously, because
> > I've nullified the security benefit of DNSSEC, but also because I have
> > application security protocols, like DANE, that critically depend on
> DNSSEC
> > authentication, for which this would pose a grave security risk.
>
> For some reason there is this insane rush to use Ed448 before even
> the major crypto providors have shipped releases which support it.
> Get support into major packages then use it in production.  Yes,
> we are working on adding it to BIND.  Name servers get upgraded.
>

Hi Mark,

This was a hypothetical example that I thought might come up for some in
the future. I wasn't describing my personal plans, so don't rush to
implement Ed448 on my account! :-)

-- 
Shumon Huque

[DNSOP] New draft: Algorithm Negotiation in DNSSEC Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Bob Harold
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Michael H. Warfield
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Mark Andrews
Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Ted Lemon
Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
Re: [DNSOP] New draft: Algorithm Negotiation in D… Willem Toorop
Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
[DNSOP] The DNSSEC club and surprises (was Re: Ne… Andrew Sullivan
Re: [DNSOP] The DNSSEC club and surprises (was Re… Tony Finch
Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
Re: [DNSOP] The DNSSEC club and surprises (was Re… George Michaelson
Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
Re: [DNSOP] The DNSSEC club and surprises (was Re… Peter van Dijk