Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 19 July 2017 08:56 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A37B9131C34 for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 01:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wX8YXwYhSG24 for <dnsop@ietfa.amsl.com>; Wed, 19 Jul 2017 01:56:49 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09E67131C3C for <dnsop@ietf.org>; Wed, 19 Jul 2017 01:56:49 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 48F1731C83; Wed, 19 Jul 2017 10:56:46 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id 9728DEC0B1C; Wed, 19 Jul 2017 10:49:42 +0200 (CEST)
Date: Wed, 19 Jul 2017 10:49:42 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Shumon Huque <shuque@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-ID: <20170719084942.GA18413@laperouse.bortzmeyer.org>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ajGVPbhrR_eEoHgJtgzRgEv49es>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 08:56:50 -0000
On Tue, Jul 04, 2017 at 11:42:56AM -0400, Shumon Huque <shuque@gmail.com> wrote a message of 108 lines which said: > We've posted a new draft on algorithm negotiation which we're hoping to > discuss at IETF99 For the discussion on thursday: > In contrast, many other security protocols, like TLS, IKE, SSH and > others, support an algorithm or cipher suite negotiation mechanism TLS and SSH are end-to-end. Not the DNS, and it makes things more complicated (see section 6). > because fragments are often blocked by network security devices. by STUPID AND BROKEN network security devices. Otherwise, you do not put the blame where it belongs. > As can be readily seen from the RSA to ECDSA transition, very few > zones have transitioned from RSA to ECDSA, True, but not for the reasons of the response size. Both for my employer's zones and for my own personal zones, the big issue is the lack of support in tools like HSMs, the difficulty of algorithm rollover, and the fact that tools like OpenDNSSEC don't make it easy. So, we have apparently a disagreement on the basic diagnostic. > the resolver has selectively cached signatures of a subset of > algorithms supported by the zon How does it know? I mean, in the response from the authoritative server, nothing indicates if the signatures are a subset or not. Suppose I send the list ECDSA;RSA, and I receive only ECDSA signatures. How the resolver/cache would now if it was a complete list? > but prefers algorithms known to be supported for the name, Again, where does this knowledge come from?
- [DNSOP] New draft: Algorithm Negotiation in DNSSEC Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Bob Harold
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Michael H. Warfield
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Mark Andrews
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ted Lemon
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Willem Toorop
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- [DNSOP] The DNSSEC club and surprises (was Re: Ne… Andrew Sullivan
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Tony Finch
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… George Michaelson
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Peter van Dijk