Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Shumon Huque <shuque@gmail.com> Mon, 10 July 2017 23:51 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0789D120726 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 16:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id spd7Z9cR8WnY for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 16:51:03 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CC4B1200ED for <dnsop@ietf.org>; Mon, 10 Jul 2017 16:51:03 -0700 (PDT)
Received: by mail-vk0-x230.google.com with SMTP id 191so56062563vko.2 for <dnsop@ietf.org>; Mon, 10 Jul 2017 16:51:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=32zCYeKJABNimkRrTE7d7wldwISYx7AXbBGUBjvk4To=; b=sBul9GuR+OyYtmgT7Yu2hSV99yajUwOV3IfBizA+IQztQaUMqGf8OSG9kw9JY7RpBO HgdzL4QpKYr4kYOxceFhyYV2aUMDWLx0YRm3z98JenfD4zw4XzEVpnNzSFPh6K+QW+cZ 2FjmnKwYd3WDaB2/95oaoSLmoWz3SavDHq6dayUzayGnsOdQVhm/FYYHIyHhdCyOHO56 rv2waB+wxN0NsSJVVGwpa5HL8iq8aUQwRPsey2Esr5M2JANZXA8NX4Kh1KNKmyK39wLH 1Ye9KEc4Lwxdc1g8yaiqtfH6413PNraFqlZFaeeqNkGKnbL7O9OEvP4zrFc5IvvUe3xn hinA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=32zCYeKJABNimkRrTE7d7wldwISYx7AXbBGUBjvk4To=; b=DxZFovCM7j2iuixaPhNYFuvhDCfIhEw+6Q4XP3ODhBYL02p7zbRhdNfcEzL6BZaJQ1 HJomfzSpNxEg1rFrTRrHQXE7W79xMPNwghI63mlM5E7QR9C388gqECXU89bnIfAFIMmd U37wWi66WFZmWBaGNU4Sr13Hgm1Vor/ma/XLX6/nCxmRQQD34Icbuolbcc0my9gTyEvy bAdjE//sj2MEpKI3G/8rXcdmnu2/mMBQJIR7nYjwJvZSDRcTIu7Q2n2Y4GajyMSdJzPd SyIQccEqT8Twy2+/+eXXAz7HArcsQgqEKCyeJwuSHoYgEblThxDqH9WIMUa59p4FkDgH 87Tg==
X-Gm-Message-State: AIVw110qZzRygechGT3dMq/vs2liYCFwYQPXPpcB5ZAmyGvrit1BWE/e D90CFF8Z1F/cFCGRmXqUJC7uOm8lxQ==
X-Received: by 10.31.233.3 with SMTP id g3mr9142684vkh.91.1499730662516; Mon, 10 Jul 2017 16:51:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.79.231 with HTTP; Mon, 10 Jul 2017 16:51:01 -0700 (PDT)
In-Reply-To: <20170710224102.EDB357E3CB92@rock.dv.isc.org>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com> <CAHPuVdVWi-4nQeoBuyKe7f81mieVpznFwd25Nb5at6t-JpYzUA@mail.gmail.com> <CAHPuVdUnUhfVtvgBWbyXD1fWjz04QMKp59Ar1HNonmAkJeLj6A@mail.gmail.com> <alpine.LRH.2.21.1707101641220.31889@bofh.nohats.ca> <CAHPuVdVFyFrXxmpJg-hO0Wv_SD9FMpzYZjWtGFZeZA-9hFQaiA@mail.gmail.com> <20170710224102.EDB357E3CB92@rock.dv.isc.org>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 10 Jul 2017 19:51:01 -0400
Message-ID: <CAHPuVdWZ3hHwErTSKrQf5YLJJyLAzwSN1_BgApwSMVxJvttiXw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Paul Wouters <paul@nohats.ca>, Bob Harold <rharolde@umich.edu>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0949e865ee600553ff410c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Y_lLdadfNDg878hDsQf1d579jnw>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 23:51:05 -0000

On Mon, Jul 10, 2017 at 6:41 PM, Mark Andrews <marka@isc.org>; wrote:
>
>
> > I also don't want to deploy only Ed448 and cause my zone to be instantly
> > treated as unsigned by the vast majority of resolvers. Obviously, because
> > I've nullified the security benefit of DNSSEC, but also because I have
> > application security protocols, like DANE, that critically depend on
> DNSSEC
> > authentication, for which this would pose a grave security risk.
>
> For some reason there is this insane rush to use Ed448 before even
> the major crypto providors have shipped releases which support it.
> Get support into major packages then use it in production.  Yes,
> we are working on adding it to BIND.  Name servers get upgraded.
>

Hi Mark,

This was a hypothetical example that I thought might come up for some in
the future. I wasn't describing my personal plans, so don't rush to
implement Ed448 on my account! :-)

-- 
Shumon Huque