IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update

Roy Arends <roy@dnss.ec> Tue, 28 February 2017 22:08 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDC61293E8 for <dnsop@ietfa.amsl.com>; Tue, 28 Feb 2017 14:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E01z3an0-ZtL for <dnsop@ietfa.amsl.com>; Tue, 28 Feb 2017 14:08:09 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49255127A90 for <dnsop@ietf.org>; Tue, 28 Feb 2017 14:08:09 -0800 (PST)
Received: by mail-qk0-x22b.google.com with SMTP id u188so41492940qkc.2 for <dnsop@ietf.org>; Tue, 28 Feb 2017 14:08:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=mG88h5xoaTztA0nZ73ZLMzgPSqLNG/H8c3EfSM4D1mE=; b=hpYfwX9SoQo7Tahb+C2P/jI16gU3MBok398gu6WGqxCizzgllN6liJSyWM4ruP5Z+g ajgSKx0eFev1eUZUKV/jaDcFzw5N/d1Jv87qY9W4ozxmxrfaIHCFvCXXnLJrckIYWbVA dtOnXmVjiSJznsZ4ZlYofsPiEPt50BxMvw2KU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=mG88h5xoaTztA0nZ73ZLMzgPSqLNG/H8c3EfSM4D1mE=; b=I1AzHKr54nPQpsEDMbBFAQ5OwZxin9CFODEYqJR/G7X6tdn9mPp5HHUMNvr7u61H5L zlSvPoj8lmmQ1wUQZyoLEFlbEwBQl+STdZr9QjD0q7DWSSBusFyYEAw4dFmQXtEOu0hJ Y76SirpN141R83gztDmaBRuqre4w/8Ra4IiGhdTxWHGxxQwvvozg+BT2rrFj6BkhgRRT ++hT0xNwu4q5cWgyX5Zep6SiUlu4PCAuOjaHefORWtdxnxRUgjw94ElbzqT8834WQb7J Py2z7V2Vasr8P33FXUlvjICO8MbKk1mY/u0HOxHvD+6pABMMICv/c3ZA3kZWmGp9+59i 5DdQ==
X-Gm-Message-State: AMke39nBD3oIzLQakGhWTvYy7lvtc4m9f9H6ShSiWDGo2rVfLfWttELvWNCWtBeAutpqVw==
X-Received: by 10.55.204.11 with SMTP id r11mr5817952qki.169.1488319687625; Tue, 28 Feb 2017 14:08:07 -0800 (PST)
Received: from [192.168.1.82] (host81-156-184-24.range81-156.btcentralplus.com. [81.156.184.24]) by smtp.gmail.com with ESMTPSA id r20sm1873805qka.2.2017.02.28.14.08.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Feb 2017 14:08:06 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <alpine.LRH.2.20.1702281627360.22841@bofh.nohats.ca>
Date: Tue, 28 Feb 2017 22:08:03 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <920390D7-BFF8-4680-B2D8-488777671DCA@dnss.ec>
References: <78013346-6100-f7e6-a3c8-87d2f92533d8@gmail.com> <F40B69DF-6391-4008-A7CD-C85277952D8A@dnss.ec> <alpine.LRH.2.20.1702281627360.22841@bofh.nohats.ca>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n5-uIHvX21J8n4a79L5M2q33UpE>
Subject: Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 22:08:11 -0000

> On 28 Feb 2017, at 21:35, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Tue, 28 Feb 2017, Roy Arends wrote:
> 
>> Since the last update of this draft, a full collision has been found.
>> 
>> Do the authors intend to update the draft to state that SHA1 SHOULD NOT be used for DNSSEC signing (DNSKEY algorithm 5,6,7) and for DNSSEC Delegation (DS and CDS algorithm 1) ?
> 
> That seems a bit dramatic to this author :)
> 
> We can't stuff PDF prefixes into this,

We don’t need to.

> there are a lot less bytes
> for an attacker to play with.

A CNAME chain will give you plenty of bytes to futz with. 

> 
>> Please also refrain from using MUST- SHOULD+ and SHOULD-.
> 
> For this SHA1 case or in general?

In general.

> I'd say we could update the DNSSEC
> Signing entry from MUST- to SHOULD NOT

Good. That is exactly my request.

> but I would leave SHA1 for
> DNSSEC validation at MUST-.

I’d say you have to update that as well to SHOULD NOT.

> There is a need to move people away from SHA1,

Yes, there is.

Roy

v2.23.0 | Report a Bug | By Email