IETF Logo Mail Archive

Re: [DNSOP] [Ext] Fwd: DNSSEC algorithm used on ietf.org

Matthew Pounsett <matt@conundrum.com> Wed, 23 March 2022 19:40 UTC

Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A84E53A08F6 for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 12:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiciyWoOY9bj for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 12:40:10 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6343A0A97 for <dnsop@ietf.org>; Wed, 23 Mar 2022 12:40:07 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id q14so3299480ljc.12 for <dnsop@ietf.org>; Wed, 23 Mar 2022 12:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kKi7ueOJAl7k2fNVbdlJhWhxfY8h1xa6ddevN6aC1UI=; b=p+GtH2skGEBDYuG1sOhPblKmQoSIQZUAOOi6JMxpFyRhDyUfP4Asiprx1b05Jk8UFS IgCYcDAtG2D0ReJG53gUxHOyeEC2KcbL6IT5bHqoDinfcA0+MzAJR5++hH3ctElf9kvy NqvPdIBW4PxeEGgnoZij0R4mjdv3Sp8KU34slWNZdZPCAet91um7FvMcNUmZEF/Cx4aZ d6VmWNXOQyfPG6lt/JiPTY484fyf9HbHFY+Uq2BbvViLM1EAANvn0fpqQJPHhzUdcKt/ drULq96JIe5f+xKtOs+acrqqezqt13XPYkanaLU8aP29V9e/eKFMr+gMx1ImhplfRPBJ /JyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kKi7ueOJAl7k2fNVbdlJhWhxfY8h1xa6ddevN6aC1UI=; b=AXw9zogQ2bxt1RgWSzv8Zk/J1wwQ+to7IoWnaTf4sYIDr/gf4pEHGwUiXXocc/bPYu mxvzp56KWignzRS12GBCG/dddDXN9WZsTGHf/Q3VkPUpDboFA8s3evdmcoXqAKKl4MSf fI97Pl8Uvd9UH/H5kH+l91ZpoJHTuGtFGgTjzGeBkhwLbWnj9lVT1hvaUU+JfjBQNnLT 3S+57Esflwu+IjV6S2ZQKTGh2x9WTYCuewC4QYOTu6SMHhfDaZBXk/EVhVLHSAM78kjT 94r6pJo60s8PsWRFquOA6f1Q2EBNd0TvI0dk5TeRD9fFUTMfHJ/fpIhb5jrlMTbZGC4H 6goA==
X-Gm-Message-State: AOAM530GwdugZcTdADGHI3gaeJdj/VtrawRf9pkd+t/M4TUpjTdUGn9i yRM+6C8f+bRX5K7tgCg/VyuPkQVpByXBT3bxg0MDIw==
X-Google-Smtp-Source: ABdhPJzJvPSdXh69ElgJ0ShV++he5GeEz4Fis/MrPth3atmBtRGK7l8+nt5TPFSpDUdsF9utZ288sY7Nbu/abNH7F0c=
X-Received: by 2002:a2e:900c:0:b0:249:3e41:6363 with SMTP id h12-20020a2e900c000000b002493e416363mr1318627ljg.502.1648064405093; Wed, 23 Mar 2022 12:40:05 -0700 (PDT)
MIME-Version: 1.0
References: <d383a88c-46cc-8252-3670-b30f68acdf44@redhat.com> <f45a40c7-f265-8e39-963b-2f6434afa18c@redhat.com> <40D559B1-174A-44AE-BAE0-6A0F41D6BFD9@icann.org> <c1c4f10f-0b9e-b390-904b-5b5643d5a650@redhat.com> <7307908B-4BA8-44B7-BDC5-92356FE1CDF5@icann.org> <adfc00af-a934-42cc-df5a-cebe3fce1167@redhat.com>
In-Reply-To: <adfc00af-a934-42cc-df5a-cebe3fce1167@redhat.com>
From: Matthew Pounsett <matt@conundrum.com>
Date: Wed, 23 Mar 2022 15:39:54 -0400
Message-ID: <CAAiTEH_U_3USjN+Y5t6i=BvPL0w3JmzLfz-LELQXUk1TzDLdpg@mail.gmail.com>
To: Petr Menšík <pemensik@redhat.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aN-HXbOlOeBWYpUjGMYynPRGBmk>
Subject: Re: [DNSOP] [Ext] Fwd: DNSSEC algorithm used on ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 19:40:13 -0000

On Wed, Mar 23, 2022 at 3:20 PM Petr Menšík <pemensik@redhat.com> wrote:
>
> Yes, it says so. It also says SHA-1 is not recommended for new
> signatures and ietf.org signature was made at 20220318000627.

It's more accurate to say that it's not recommended for new
deployments.  Operators are encouraged to migrate to more secure
algorithms, but given an existing deployment there's no MUST
associated with that migration, yet.

> Is there
> reason why DNS is so better protected than TLS certificates? Is its
> shorter message length a good protection? I don't understand the
> difference between
>

It's to do with the expected lifetime of the signatures, and the fact
that we're dealing with signatures, not encryption.  There is no need
to have years of protection from a single key or signature, as there
is with encryption and privacy, as is intended for TLS.

v2.40.4 | Report a Bug | By Email | System Status