IETF Logo Mail Archive

Re: [DNSOP] More private algorithms for DNSSEC

Mark Andrews <marka@isc.org> Mon, 28 March 2022 01:23 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5BE93A0D98 for <dnsop@ietfa.amsl.com>; Sun, 27 Mar 2022 18:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=qq4TJHzv; dkim=pass (1024-bit key) header.d=isc.org header.b=CaxLq2OB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLhxXfDU8ro1 for <dnsop@ietfa.amsl.com>; Sun, 27 Mar 2022 18:23:17 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAB4D3A0D96 for <dnsop@ietf.org>; Sun, 27 Mar 2022 18:23:16 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id E0C843AB015; Mon, 28 Mar 2022 01:23:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org E0C843AB015
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648430595; bh=P/Ye50IFk3Fwaj3+Cy3vuxcU4aQezlCFJwLmwnks5+U=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=qq4TJHzvGBQCPpwtrppwFAPPx1cpI5EqSydTwsHNHSluQ+Zs2IgFnVCBQKA93QL5X FTIqWbZ78Z3+JzKqynS0Ok2wPzIwUre1ZON7Yxa7gBk3sdM5U7GLIY7tRof8DLZqR7 JvT2GchCBBFgomVzh5KLgNjsiy7NHEAXTNRiBKHc=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id C65581104192; Mon, 28 Mar 2022 01:22:18 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 94BCA11041A4; Mon, 28 Mar 2022 01:22:18 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 94BCA11041A4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648430538; bh=oUPRVzM82yQmRmiDGwf4QlLBdRKoU2lmcrGnhrtbkQU=; h=Mime-Version:From:Date:Message-Id:To; b=CaxLq2OBqkPHXDEgEfpVJgqyNs2yNapI+fg850A41/N+K1+Nb4sFpX8HR3uJUeTy2 GB5V8lmDWHeW7K8tnwXCIxu9pjL+vBL6mz2PAxoGMOkkUG3VrqCVHgXWQ3K56zekT+ ZuukTwr9xHAEsbpExV8lOJSg+Fgoj0SBiAi/bYc0=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YerdMmUqBtN1; Mon, 28 Mar 2022 01:22:18 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id E4E8D1104192; Mon, 28 Mar 2022 01:22:17 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <54622bd0dd3253187a9c9b69d0a1188a4d898bd9.camel@powerdns.com>
Date: Mon, 28 Mar 2022 12:23:10 +1100
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CC878AFE-3B67-49D9-9A9E-F3D21BC900FB@isc.org>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com> <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org> <54622bd0dd3253187a9c9b69d0a1188a4d898bd9.camel@powerdns.com>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eXF20gt-oeeN8Ojf7zQKPSOYqZI>
Subject: Re: [DNSOP] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 01:23:23 -0000

> On 23 Mar 2022, at 20:45, Peter van Dijk <peter.van.dijk@powerdns.com> wrote:
> 
> On Mon, 2022-03-21 at 19:32 +0000, Paul Hoffman wrote:
>> On Mar 21, 2022, at 11:34 AM, Wessels, Duane <dwessels=40verisign.com@dmarc.ietf.org> wrote:
>>> Is it in response to the DNS-OARC talk we saw about implementing PQC Falcon in PowerDNS, and they used the next unused algorithm number rather than a private algorithm?
>> 
>> Nils could have picked 253 but probably didn't even think of looking down to the bottom of the list. He was just following the time-honored pattern in the IETF. :-)
> 
> (I am not speaking for Nils, to be clear.)
> 
> 253 is not for experiments - it is for private production. It requires
> (as most of you might know) prefixing DNSKEY content with a private
> algorithm specifier that looks like a domain name (or, for 254, with a
> OID). This means if you were to use it for an experiment, your DNSKEY
> content, and thus signer and validation code, would need to be changed
> when you get a number assigned.

Please quote where it is stated that “private is not for experimentation”.

Private is private.  Do what you want with it as long as you identify the
the algorithm uniquely and that includes experimental implementations.

Also while it is nice to be able to just change a number to go from
experimental to production, in reality removing code that add / checks
the algorithm name at the same time is not a lot to ask vendors to do and
is unlikely to cause real problems. If you want you can actually keep the
name DNSKEY and DS records as a constant if you are too scared that vendors
will muck up the minor change of removing an identifying name.

There is zero reason to reserve any ADDITIONAL space for experimentation.

Domain names are cheap as are OIDs.

I do not support reserving more space.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email