IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Paul Wouters <paul@nohats.ca> Wed, 06 January 2021 22:11 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13A693A133A for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 14:11:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QdltbiYPr4jg for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 14:11:30 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A18333A1338 for <dnsop@ietf.org>; Wed, 6 Jan 2021 14:11:30 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4DB3VS6bsNzFJP; Wed, 6 Jan 2021 23:11:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1609971088; bh=yaAKnBNi2MX/Z+FapW2xhWs+KRrbzp+p/EILKeWaaDA=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=mJIlzDNHUtF1lSgHixD/hHD7ZToah3GuqevW1N1jPC7XKXnQgwUqG6KgZq+QYtxS8 Q3Vt8D/UsPeOaWTOHTzJLoHF9pa0O3/wpDIiqBFLrr84CTuqmPZSEm3rez2ek/GICA rqFKuU3UJfZYRKWxcCI+DSZVj+3BGyMZE5wfGCho=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ktfWPDXXceBG; Wed, 6 Jan 2021 23:11:28 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 6 Jan 2021 23:11:27 +0100 (CET)
Received: from [193.110.157.220] (unknown [193.110.157.220]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 935C56029A47; Wed, 6 Jan 2021 17:11:26 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 06 Jan 2021 17:11:25 -0500
Message-Id: <1AACE627-3ABD-42F2-A715-F092925E7640@nohats.ca>
References: <BE8EEAE6-A33A-41FF-908E-821FB3850422@icann.org>
Cc: dnsop <dnsop@ietf.org>
In-Reply-To: <BE8EEAE6-A33A-41FF-908E-821FB3850422@icann.org>
To: Paul Hoffman <paul.hoffman@icann.org>
X-Mailer: iPhone Mail (18C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/izcjcYzT_qAj1CmN5Fg08_mo1MQ>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 22:11:32 -0000

On Jan 6, 2021, at 16:30, Paul Hoffman <paul.hoffman@icann.org> wrote:
> 
> On Jan 6, 2021, at 1:19 PM, Paul Wouters <paul@nohats.ca> wrote:
>> Remember also that TLS ciphers are negotiated.
> 
> A better analogy might be "although TLS key exchange and encryption ciphers are negotiated, the signing algorithm on the server's certificate is not negotiated". DNSSEC signing is much more akin to the latter, I think.
> 
>> There is no negotiation
>> in DNSSEC.
> 
> Quite right, just as there is no negotiation for the authentication in TLS.

I stand corrected. You are right.

Paul

v2.23.0 | Report a Bug | By Email