IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Thu, 02 May 2024 08:19 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22B13C14CE2B for <dnsop@ietfa.amsl.com>; Thu, 2 May 2024 01:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 830ZMXxAC-LV for <dnsop@ietfa.amsl.com>; Thu, 2 May 2024 01:19:10 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD9E8C14F71C for <dnsop@ietf.org>; Thu, 2 May 2024 01:19:09 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1s2Reg-0000LsC; Thu, 2 May 2024 10:19:02 +0200
Message-Id: <m1s2Reg-0000LsC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Peter Thomassen <peter@desec.io>
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <m1s1mGR-0000PPC@stereo.hq.phicoh.net> <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <d73fc09e-c0c4-44f2-a67d-4cf5fafa0863@desec.io> <m1s2R59-0000MgC@stereo.hq.phicoh.net> <97900eaa-b190-472a-9d35-e3fa412b724c@desec.io>
In-reply-to: Your message of "Thu, 2 May 2024 09:58:43 +0200 ." <97900eaa-b190-472a-9d35-e3fa412b724c@desec.io>
Date: Thu, 02 May 2024 10:19:02 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fYciu2iaTG432ys28CEC_FYx_hk>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2024 08:19:12 -0000

In your letter dated Thu, 2 May 2024 09:58:43 +0200 you wrote:
>Right. Their policy may be "it's compliant and it works, so why roll?". It'll 
>be easier to push those SHA-1 signers to switch if one can tell them "look, no
>w you're not compliant anymore".

So basically we need a BCP: operators of zones MUST NOT sign their zones
with algorithms 5 and 7. If they currently do, they need to move away
from those algorithms as quickly as possible.

To me, that would sound better then trying to break protocols to get people
to move.

v2.46.0 | Report a Bug | By Email | System Status