From nobody Wed Mar 23 12:40:15 2022 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A84E53A08F6 for ; Wed, 23 Mar 2022 12:40:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.907 X-Spam-Level: X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20210112.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiciyWoOY9bj for ; Wed, 23 Mar 2022 12:40:10 -0700 (PDT) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6343A0A97 for ; Wed, 23 Mar 2022 12:40:07 -0700 (PDT) Received: by mail-lj1-x236.google.com with SMTP id q14so3299480ljc.12 for ; Wed, 23 Mar 2022 12:40:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kKi7ueOJAl7k2fNVbdlJhWhxfY8h1xa6ddevN6aC1UI=; b=p+GtH2skGEBDYuG1sOhPblKmQoSIQZUAOOi6JMxpFyRhDyUfP4Asiprx1b05Jk8UFS IgCYcDAtG2D0ReJG53gUxHOyeEC2KcbL6IT5bHqoDinfcA0+MzAJR5++hH3ctElf9kvy NqvPdIBW4PxeEGgnoZij0R4mjdv3Sp8KU34slWNZdZPCAet91um7FvMcNUmZEF/Cx4aZ d6VmWNXOQyfPG6lt/JiPTY484fyf9HbHFY+Uq2BbvViLM1EAANvn0fpqQJPHhzUdcKt/ drULq96JIe5f+xKtOs+acrqqezqt13XPYkanaLU8aP29V9e/eKFMr+gMx1ImhplfRPBJ /JyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kKi7ueOJAl7k2fNVbdlJhWhxfY8h1xa6ddevN6aC1UI=; b=AXw9zogQ2bxt1RgWSzv8Zk/J1wwQ+to7IoWnaTf4sYIDr/gf4pEHGwUiXXocc/bPYu mxvzp56KWignzRS12GBCG/dddDXN9WZsTGHf/Q3VkPUpDboFA8s3evdmcoXqAKKl4MSf fI97Pl8Uvd9UH/H5kH+l91ZpoJHTuGtFGgTjzGeBkhwLbWnj9lVT1hvaUU+JfjBQNnLT 3S+57Esflwu+IjV6S2ZQKTGh2x9WTYCuewC4QYOTu6SMHhfDaZBXk/EVhVLHSAM78kjT 94r6pJo60s8PsWRFquOA6f1Q2EBNd0TvI0dk5TeRD9fFUTMfHJ/fpIhb5jrlMTbZGC4H 6goA== X-Gm-Message-State: AOAM530GwdugZcTdADGHI3gaeJdj/VtrawRf9pkd+t/M4TUpjTdUGn9i yRM+6C8f+bRX5K7tgCg/VyuPkQVpByXBT3bxg0MDIw== X-Google-Smtp-Source: ABdhPJzJvPSdXh69ElgJ0ShV++he5GeEz4Fis/MrPth3atmBtRGK7l8+nt5TPFSpDUdsF9utZ288sY7Nbu/abNH7F0c= X-Received: by 2002:a2e:900c:0:b0:249:3e41:6363 with SMTP id h12-20020a2e900c000000b002493e416363mr1318627ljg.502.1648064405093; Wed, 23 Mar 2022 12:40:05 -0700 (PDT) MIME-Version: 1.0 References: <40D559B1-174A-44AE-BAE0-6A0F41D6BFD9@icann.org> <7307908B-4BA8-44B7-BDC5-92356FE1CDF5@icann.org> In-Reply-To: From: Matthew Pounsett Date: Wed, 23 Mar 2022 15:39:54 -0400 Message-ID: To: =?UTF-8?B?UGV0ciBNZW7FocOtaw==?= Cc: Paul Hoffman , "dnsop@ietf.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] [Ext] Fwd: DNSSEC algorithm used on ietf.org X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Mar 2022 19:40:13 -0000 On Wed, Mar 23, 2022 at 3:20 PM Petr Men=C5=A1=C3=ADk = wrote: > > Yes, it says so. It also says SHA-1 is not recommended for new > signatures and ietf.org signature was made at 20220318000627. It's more accurate to say that it's not recommended for new deployments. Operators are encouraged to migrate to more secure algorithms, but given an existing deployment there's no MUST associated with that migration, yet. > Is there > reason why DNS is so better protected than TLS certificates? Is its > shorter message length a good protection? I don't understand the > difference between > It's to do with the expected lifetime of the signatures, and the fact that we're dealing with signatures, not encryption. There is no need to have years of protection from a single key or signature, as there is with encryption and privacy, as is intended for TLS.