IETF Logo Mail Archive

Re: [DNSOP] [Ext] More private algorithms for DNSSEC

Nils Wisiol <nils@desec.io> Tue, 22 March 2022 08:56 UTC

Return-Path: <nils@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 598F33A0D05; Tue, 22 Mar 2022 01:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7Y4fONa3MJT; Tue, 22 Mar 2022 01:56:40 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B01433A0D06; Tue, 22 Mar 2022 01:56:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tcBYe3QLUJdz9HvNpXE4vPRqmZ1J+jo6d7FCDeKxwjw=; b=hX75KcnPuYAzqu2+8mFwZHpSCh ubFAyhEBhF1HG4lPvOmnIPuNLU32zwsLHFMWieqfFdxm9DI7WSPs3h6v8eInJX1fNteNw67Rz3Bpb cY8BkdNWJhkdL4w2mLPwHv4RjveHQyUARrGvPS2CqSHOflUofGMu/9uPNZB6QWJzGE7EMvUoLLlUO IA33Lp0LWzkZd8WnGLcGsE616RbX6zGide9Sb9vrDwxFHR0qKvvKKTv2hBbO0mN5wc4NU+nJJqpug q9MNxS2MDM+/7FXlRjfMp+dc7Mc52oNNFmc7W0AXZXOqAkYbxja64TUCpE+H8DtoYhzJdtkljOHUt 3dAgbXJQ==;
Received: from [2a02:8109:b03f:e20c:e190:b7dc:63dd:c22a] (helo=tp) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <nils@desec.io>) id 1nWaJY-0008JM-66; Tue, 22 Mar 2022 09:56:28 +0100
Message-ID: <90ca44a8ac157d6545258795508b624f9802e44c.camel@desec.io>
From: Nils Wisiol <nils@desec.io>
To: Paul Hoffman <paul.hoffman@icann.org>, "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: dnsop WG <dnsop@ietf.org>, Matthieu Grillere <matgrillere@gmail.com>, Peter Thomassen <peter@desec.io>
Date: Tue, 22 Mar 2022 09:56:27 +0100
In-Reply-To: <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com> <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5-0ubuntu1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fopce6dyiApet-FK6ikU-KpRxog>
Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 08:56:46 -0000

There was some internal discussion about using 17 vs 253, with the main
argument for 253 being that this is the intended use case for 253 and
the main argument for 17 being that worry that some resolver
implementations could have special treatment for private algorithm
numbers. As we are interested in how FALCON-512 would behave in the
existing DNSSEC infrastructure, I pushed for using 17. I have to admit
though that I did not do research whether there exists special
treatment for private algorithms.

To settle this, I would like to ask the resolver vendors on this list:
is your treatment of private DNSSEC algorithms (253) any different from
unknown algorithms (such as 17)?

In any event, we shall make our implementation flexible wrt to the used
algorithm number(s). The intent was explicitly not to make any claims
on unused numbers.

Best,
Nils

On Mon, 2022-03-21 at 19:32 +0000, Paul Hoffman wrote:
> On Mar 21, 2022, at 11:34 AM, Wessels, Duane <
> dwessels=40verisign.com@dmarc.ietf.org> wrote:
> > Is it in response to the DNS-OARC talk we saw about implementing
> > PQC Falcon in PowerDNS, and they used the next unused algorithm
> > number rather than a private algorithm?
> 
> Nils could have picked 253 but probably didn't even think of looking
> down to the bottom of the list. He was just following the time-
> honored pattern in the IETF. :-)
> 
> > If the authors of that work are on this list I would be interested
> > to hear from them about that decision. In particular, would just
> > having more private algorithms change their thinking or is
> > something else needed?
> 
> They only needed one. This draft is for experimenters who need many
> at the same time. NIST has said that they are likely to later
> standardize on multiple post-quantum signature algorithms which will
> create larger payloads, and the DNSSEC community will have to decide
> if it wants just one of those, or many. Having a bit of experimental
> space for authoritative and recursive developers would be good, given
> that basically the entire range will be empty for centuries.
> 
> --Paul Hoffman
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.23.0 | Report a Bug | By Email