IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Paul Wouters <paul@nohats.ca> Thu, 31 December 2020 03:22 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2F7F3A0B5B for <dnsop@ietfa.amsl.com>; Wed, 30 Dec 2020 19:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gEt0eRexTzwE for <dnsop@ietfa.amsl.com>; Wed, 30 Dec 2020 19:22:58 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 009AC3A0B5A for <dnsop@ietf.org>; Wed, 30 Dec 2020 19:22:57 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4D5tl40hwJz27q; Thu, 31 Dec 2020 04:22:56 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1609384976; bh=mR48zXUJPFP8gZOjupPCeXrrSatSSoeb7M95USZy85M=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=Xi2UfjDzuC7mZfgwVpnQR+w7hZgVu5FI5maAy9aAuVDAF/79Lb/+Eb7MLPwD6fwpp xoAO+5p13y+75gM00i15r4fysvwR1iblLdR/lrKBh0rvcbc7C4U34jK/XghR3p/45z dr6Rno8tL1eotpbd5l1ynBva+4e8jxrWj0PZONeo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id HCazI2oToAma; Thu, 31 Dec 2020 04:22:54 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 31 Dec 2020 04:22:54 +0100 (CET)
Received: from [193.110.157.220] (unknown [193.110.157.220]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 6FD196029B54; Wed, 30 Dec 2020 22:22:53 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 30 Dec 2020 22:22:51 -0500
Message-Id: <2E8229BE-E764-4C29-A258-8C469717E38A@nohats.ca>
References: <CADZyTkn1QuvjencR8+wVtQ9bzQHJT9JXXNku1LPr3YRmRt4KQg@mail.gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
In-Reply-To: <CADZyTkn1QuvjencR8+wVtQ9bzQHJT9JXXNku1LPr3YRmRt4KQg@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
X-Mailer: iPhone Mail (18C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mlhWMWnXIeVLeQSGJt_AgzpHQCI>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2020 03:23:00 -0000

On Dec 30, 2020, at 22:11, Daniel Migault <mglt.ietf@gmail.com> wrote:
> 
> 
> <mglt>
> If I understand clearly the comment, it seems to say that TLS ( for example ) is using RFC Required and that DNSSEC should do the same. Quickly going through RFC 8447, I cannot find "RFC Required", so I am wondering if you have a specific registry in mind. As far as I can see, the TLS cipher suite registry requires Standard Action to set Recommended to "Y" and Specification Required otherwise. As a result, leaving it to Standard Action seems better aligned with what TLS does for "Recommended".

As previously explained in this thread, you cannot compare TLS with DNSSEC. With TLS you can offer IETF algorithms along with a nation state algo, and the client can pick what it prefers.

For DNSSEC, the signed zone has already made all the decisions. A DNS client cannot decide to use or not use its local national algo.

Paul

> My motivation for not lowering the requirement is based on the specificities of DNS, that is the DNS is a system handles a global shared resource

For those regimes who for instance are not allowed to trust RSA or NIST/NSA based ECC curves, you prefer those zones use no DNSSEC at all versus say GOST ?

Because that’s what you are offering as the only choice now.

Paul

v2.23.0 | Report a Bug | By Email