IETF Logo Mail Archive

[DNSOP] draft-ietf-dnsop-algorithm-update

Michael StJohns <msj@nthpermutation.com> Fri, 12 April 2019 15:05 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 224D812062A for <dnsop@ietfa.amsl.com>; Fri, 12 Apr 2019 08:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElBRKDJRJSrX for <dnsop@ietfa.amsl.com>; Fri, 12 Apr 2019 08:05:43 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97C9A1207F0 for <dnsop@ietf.org>; Fri, 12 Apr 2019 08:05:43 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id s81so5811343qke.13 for <dnsop@ietf.org>; Fri, 12 Apr 2019 08:05:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=NQVabqgS+v3RS1MqvmBOJizR/nzXPoFXy+a7sGbQqt8=; b=ju08h4SicDV2XuGQQQyTNMq9edmaqmsfRQUwJ/Ep3i7IAboRFCLuM+WfJuXJqpL0Tl L6rQQwe8kvKM+P2GJQAiKgFjClOorMaT/khlTNI2zmCOrg4/owP9z+Bkys7JXbMqH8Pw +/eDhhgxLCGviyEhUZ6Zkkx3JFiSFGY/UdRIlr9Au2TQdaEAMt6om0PpJ5P8HbfBBWoR hBbHMaewUaPjdnx6Ft7WIqIkl7O06hUnfIpi1nLXtSTGyVqRD7DtAyayVQjfUQ1tzanF xLNW+3g3ifx+7pftQO6AxAIFhuE92bnD7KiqGkck5RlkjLfpWQMj0it4omRuQNHbSt/5 iYzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=NQVabqgS+v3RS1MqvmBOJizR/nzXPoFXy+a7sGbQqt8=; b=DfM9kGOuUizvoDbeG+9mjUxWK6bKvDIOd2EUhg/yBOdPzKSnO1k8B5CXhowrji67FP rUTKQ2TtIXH3A80nP84EvJMGpJ2j4y9FFUE2j7SQio1hdNv+msT+Rxghk/XLMY/x0Oyh UlBUEXDQ8qhvk225GCn9iWyYgd05P3F2gXZsgHuqcZ/AMBBRmD6mmZ3O1dsi+g7+sRkC +z+/c+5OUoIMlHQwkUiNqnXmq7oF4ABfunTalRacXacxIUz99vYm9b9tXwJRff+CFRyh 2wwpy5+DXl3jhDNF0Vlg+oyrwde+GDVES4hMLiz62ZQNsuYUnYecYCcJf/WGhH1S345K 9hvg==
X-Gm-Message-State: APjAAAVWISv9hXt4KlhDfow7Yg6ciU/PwrygZiUgQ7K6fMVcUz45EKgm mBq5kCZXVo61+9aClZdnNK6CWnJx7Ws=
X-Google-Smtp-Source: APXvYqzfs3TH9jXE4y+tMmTz4WvbbHXMFwdr6pbAWqTiZUG88h5Bxg+YDYvUK8OusvU8BiuKYR9Gcg==
X-Received: by 2002:a05:620a:108f:: with SMTP id g15mr44155444qkk.61.1555081541562; Fri, 12 Apr 2019 08:05:41 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:437c:dd59:ba30:6ab0:588? ([2601:152:4400:437c:dd59:ba30:6ab0:588]) by smtp.gmail.com with ESMTPSA id p6sm30546191qtk.70.2019.04.12.08.05.40 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Apr 2019 08:05:40 -0700 (PDT)
To: "dnsop@ietf.org" <dnsop@ietf.org>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <ec7ed79a-ae9c-bf6e-3ce7-1b529aa894fa@nthpermutation.com>
Date: Fri, 12 Apr 2019 11:05:37 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jSGPce85iG3EtjQzc3RsHNXnWqI>
Subject: [DNSOP] draft-ietf-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 15:05:45 -0000

Hi -

I had someone ask me (last night!!) whether or not the "must sign each 
RRSet with all of the algorithms in the DNSKEY RRSet" rule applies if 
the only key with algorithm A in the RRSet has the revoke bit set.  A 
question I had never previously considered.

Given that you can't trace trust through that revoked key, and any RRSig 
originated by that key is just extraneous bits, I came to three 
conclusions:  1) A key must not be counted for the purposes of the rule 
if it has the (RFC5011) revoke bit set, (s) the only RRSigs created by a 
revoked key are over the DNSKEY RRSet and 3) it's possible/probable that 
interpretations could differ.

I tagged this email with the algorithm update ID/RFC candidate because 
about the only time you're going to see a revoked singleton key of a 
given algorithm is when you're transitioning the algorithms for the zone.

I hesitate to ask - and apologize for asking given the late date for 
this document, but should the statements (1) and (2) above or something 
similar be included in this document for completeness?

Alternatively, what breaks if publishers omit the extraneous signatures 
just because?

Later, Mike

v2.23.0 | Report a Bug | By Email