Re: [DNSOP] [Ext] More private algorithms for DNSSEC
Nils Wisiol <nils@desec.io> Tue, 22 March 2022 08:56 UTC
Return-Path: <nils@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 598F33A0D05; Tue, 22 Mar 2022 01:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7Y4fONa3MJT; Tue, 22 Mar 2022 01:56:40 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B01433A0D06; Tue, 22 Mar 2022 01:56:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tcBYe3QLUJdz9HvNpXE4vPRqmZ1J+jo6d7FCDeKxwjw=; b=hX75KcnPuYAzqu2+8mFwZHpSCh ubFAyhEBhF1HG4lPvOmnIPuNLU32zwsLHFMWieqfFdxm9DI7WSPs3h6v8eInJX1fNteNw67Rz3Bpb cY8BkdNWJhkdL4w2mLPwHv4RjveHQyUARrGvPS2CqSHOflUofGMu/9uPNZB6QWJzGE7EMvUoLLlUO IA33Lp0LWzkZd8WnGLcGsE616RbX6zGide9Sb9vrDwxFHR0qKvvKKTv2hBbO0mN5wc4NU+nJJqpug q9MNxS2MDM+/7FXlRjfMp+dc7Mc52oNNFmc7W0AXZXOqAkYbxja64TUCpE+H8DtoYhzJdtkljOHUt 3dAgbXJQ==;
Received: from [2a02:8109:b03f:e20c:e190:b7dc:63dd:c22a] (helo=tp) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <nils@desec.io>) id 1nWaJY-0008JM-66; Tue, 22 Mar 2022 09:56:28 +0100
Message-ID: <90ca44a8ac157d6545258795508b624f9802e44c.camel@desec.io>
From: Nils Wisiol <nils@desec.io>
To: Paul Hoffman <paul.hoffman@icann.org>, "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: dnsop WG <dnsop@ietf.org>, Matthieu Grillere <matgrillere@gmail.com>, Peter Thomassen <peter@desec.io>
Date: Tue, 22 Mar 2022 09:56:27 +0100
In-Reply-To: <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com> <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5-0ubuntu1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fopce6dyiApet-FK6ikU-KpRxog>
Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 08:56:46 -0000
There was some internal discussion about using 17 vs 253, with the main argument for 253 being that this is the intended use case for 253 and the main argument for 17 being that worry that some resolver implementations could have special treatment for private algorithm numbers. As we are interested in how FALCON-512 would behave in the existing DNSSEC infrastructure, I pushed for using 17. I have to admit though that I did not do research whether there exists special treatment for private algorithms. To settle this, I would like to ask the resolver vendors on this list: is your treatment of private DNSSEC algorithms (253) any different from unknown algorithms (such as 17)? In any event, we shall make our implementation flexible wrt to the used algorithm number(s). The intent was explicitly not to make any claims on unused numbers. Best, Nils On Mon, 2022-03-21 at 19:32 +0000, Paul Hoffman wrote: > On Mar 21, 2022, at 11:34 AM, Wessels, Duane < > dwessels=40verisign.com@dmarc.ietf.org> wrote: > > Is it in response to the DNS-OARC talk we saw about implementing > > PQC Falcon in PowerDNS, and they used the next unused algorithm > > number rather than a private algorithm? > > Nils could have picked 253 but probably didn't even think of looking > down to the bottom of the list. He was just following the time- > honored pattern in the IETF. :-) > > > If the authors of that work are on this list I would be interested > > to hear from them about that decision. In particular, would just > > having more private algorithms change their thinking or is > > something else needed? > > They only needed one. This draft is for experimenters who need many > at the same time. NIST has said that they are likely to later > standardize on multiple post-quantum signature algorithms which will > create larger payloads, and the DNSSEC community will have to decide > if it wants just one of those, or many. Having a bit of experimental > space for authoritative and recursive developers would be good, given > that basically the entire range will be empty for centuries. > > --Paul Hoffman > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525
- [DNSOP] More private algorithms for DNSSEC Paul Hoffman
- Re: [DNSOP] More private algorithms for DNSSEC Paul Wouters
- Re: [DNSOP] More private algorithms for DNSSEC Wessels, Duane
- Re: [DNSOP] [Ext] More private algorithms for DNS… Paul Hoffman
- Re: [DNSOP] [Ext] More private algorithms for DNS… Nils Wisiol
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Peter van Dijk
- Re: [DNSOP] More private algorithms for DNSSEC Petr Špaček
- Re: [DNSOP] More private algorithms for DNSSEC Nils Wisiol
- Re: [DNSOP] [Ext] More private algorithms for DNS… Vladimír Čunát
- Re: [DNSOP] More private algorithms for DNSSEC Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Nils Wisiol
- Re: [DNSOP] More private algorithms for DNSSEC Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Paul Hoffman
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Peter Thomassen
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] [Ext] More private algorithms for DNS… Brian Dickson
- Re: [DNSOP] [Ext] More private algorithms for DNS… Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Blacka, David
- Re: [DNSOP] More private algorithms for DNSSEC Mark Andrews
- Re: [DNSOP] More private algorithms for DNSSEC Nils Wisiol