IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Samuel Weiler <weiler@watson.org> Tue, 23 February 2021 16:20 UTC

Return-Path: <weiler@watson.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE2683A07F7 for <dnsop@ietfa.amsl.com>; Tue, 23 Feb 2021 08:20:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgVmcMSzH_EM for <dnsop@ietfa.amsl.com>; Tue, 23 Feb 2021 08:20:39 -0800 (PST)
Received: from cyrus.watson.org (cyrus.watson.org [204.107.128.30]) by ietfa.amsl.com (Postfix) with ESMTP id 4BB703A07EB for <dnsop@ietf.org>; Tue, 23 Feb 2021 08:20:38 -0800 (PST)
Received: from [172.20.1.184] (50-203-47-218-static.hfc.comcastbusiness.net [50.203.47.218]) by cyrus.watson.org (Postfix) with ESMTPSA id D302065FEC; Tue, 23 Feb 2021 16:20:37 +0000 (UTC)
Date: Tue, 23 Feb 2021 11:20:37 -0500
From: Samuel Weiler <weiler@watson.org>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org>
Message-ID: <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org>
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bsdUEgjf1VGbENs5G_dWPPTxKF0>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 16:20:41 -0000

On Tue, 23 Feb 2021, Paul Hoffman wrote:

> What is the purpose of this flag? Why wouldn't a zone owner who has 
> such a strong desire for using that one algorithm just sign with 
> that algorithm?

section 2.2 of the draft makes the argument.  Ben seems to be 
imagining a world where some validators don't implement the "stronger" 
algorithm and he wants to provide at least some protection for them - 
potentially for a long time.  And, addressing Paul Wouters' comment, 
he's envisioning a world where the state of having multiple 
algorithms' signatures persists.

Recognizing that I'm likely biased by my history of working on the 
current "mandatory algorithm rules", I don't buy the need for this 
complexity.  In practice our "weak" algorithms aren't _that_ weak. 
And, if they are, we might as well stop signing with them entirely. 
This seems like unnecessary further loading of the camel.

Ben, if you decide to persist with this idea, I've filed some issues 
in your GH repo.

-- Sam

v2.23.0 | Report a Bug | By Email