Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt

Mark Andrews <marka@isc.org> Tue, 04 September 2018 00:58 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855E6130E61 for <dnsop@ietfa.amsl.com>; Mon, 3 Sep 2018 17:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FiZulGkj99wy for <dnsop@ietfa.amsl.com>; Mon, 3 Sep 2018 17:58:38 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D922130E60 for <dnsop@ietf.org>; Mon, 3 Sep 2018 17:58:38 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BD26E3AB044; Tue, 4 Sep 2018 00:58:37 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A742D16005C; Tue, 4 Sep 2018 00:58:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 81E48160066; Tue, 4 Sep 2018 00:58:37 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6rHBzQ7ZRpdU; Tue, 4 Sep 2018 00:58:37 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B2D1B16005C; Tue, 4 Sep 2018 00:58:36 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <EA46641B-CD22-4549-862D-CF1508B81E0A@isc.org>
Date: Tue, 4 Sep 2018 10:58:33 +1000
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A37A03C-0E35-49D5-BFEB-29CFC02FD9DF@isc.org>
References: <153507165910.12116.7113196606839876181.idtracker@ietfa.amsl.com> <AFB90F6F-5D99-4403-AAB6-1123727973E6@bangj.com> <EA46641B-CD22-4549-862D-CF1508B81E0A@isc.org>
To: Tom Pusateri <pusateri@bangj.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jQFPn2CIE8cFAEHA1dznzw35nfg>
Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2018 00:58:40 -0000

6.  Cryptographic Hash Requirements


   The cryptographic hash algorithm used SHOULD provide the following
   properties:

   1.  Well known algorithm with implementations easily available.

   2.  Trusted algorithm with resistance to collision attacks.

   3.  Minimize output length for efficient storage in the TIMEOUT
       resource record.

   While computational complexity is always a consideration when
   selecting algorithms, the frequency of this calculation is intended
   to be low volume and, therefore, this property is of reduced
   importance.

SHAKE128 does not meet these requirements.  In OPENSSL it is only
available in pre-release code.  It will be years before OPENSSL-1.1.1
is the OPENSSL release for most operating systems.

We (ISC) haven’t started working out what OPENSSL-1.1.1 breaks yet.
OPENSSL-1.1.0 broke lots of existing code.  Lots of code required
re-writing to work with OPENSSL-1.1.0 as it broke backwards compatibility
with OPENSSL-1.0.x.

Please pick hash algorithms that are already USED by DNS.  The results
can be truncated if you are worried about space.

And no it isn’t as easy as just calling OPENSSL.  PKCS#11 providers
also need to support the hash algorithm.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org