Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Shumon Huque <shuque@gmail.com> Thu, 20 July 2017 08:45 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E537D131AD7 for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 01:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPNLafwseyGa for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 01:45:46 -0700 (PDT)
Received: from mail-ua0-x22e.google.com (mail-ua0-x22e.google.com [IPv6:2607:f8b0:400c:c08::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FD54129B40 for <dnsop@ietf.org>; Thu, 20 Jul 2017 01:45:46 -0700 (PDT)
Received: by mail-ua0-x22e.google.com with SMTP id u4so18093877uaa.1 for <dnsop@ietf.org>; Thu, 20 Jul 2017 01:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pq/mIewPdCRZqumbzMw0aY9/+BZA1QVPDdFL55yPRFc=; b=Y/plgF3ojbIzrNZChVVfY3YVn9HnxW56c3K0XJov2m13uonh6VX+T9dwCASInm6DzX KVnQKPKQfcF7jHG4eE7UqhkJ0W9mJRsJXXr2PAPmqXGAo82yRbHbvLT1AbcLmLh3sqRj xNGBNWqZ7Y/ahqr70vpY7tRTJz/cMbH9A9QBs+HJdafLQZKh+csA7uaJEY4OBg+PSmee cF3NteoYKECoyssLngc1R/ccG8GXrkjT2eAuLzLgJjL1cg4BN+uR/0sNBcYlui6fdUCc o0yB0ayNGs9GjgIzFEZddXmyw1c8UaHordAIXdRsG4zPLI0krvuJ8Irnb8Ig3A/wgsXV f12w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pq/mIewPdCRZqumbzMw0aY9/+BZA1QVPDdFL55yPRFc=; b=tRPMQKyysrcMMz/6yNOJn6Md/v8zqihA5MyNHQToyJBypiyHLX55od7pOFpBKmJzXQ iS00h0qElhpKKRv40R1D9Vw0TrTpRVtQ8dgON7oQlVudqo+5j/eUXDSHKMolPNIBcqLT JGxuYNXjY94F3VMPeeG/UDNgYCljsUaSDMhuOilIOljjQd9DIbDnGcnIuBSmXYW0qHfd IYWBbdliDDmPUUO1evCz3+qqDEQUoBaUgf+extqTHgQ0sigDeIiUXSB8HACCZd1QNVlx esK91+WgRlE8MNS0id/bPrUt297dTeKjw/9iGjymzooV9P3cdXpi+MGw1SqYVZXJU99w Dg2Q==
X-Gm-Message-State: AIVw111zpqTIBqbGQQ1LulKm+bqywhNgdaxYy/8uYslSj9HyAtW07NML 3akrV+b38CRPnZY8BuCn7MmuECE/auYD
X-Received: by 10.31.110.9 with SMTP id j9mr1578331vkc.171.1500540345387; Thu, 20 Jul 2017 01:45:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.91.78 with HTTP; Thu, 20 Jul 2017 01:45:44 -0700 (PDT)
In-Reply-To: <CAN6NTqwB8b1aFsZg=LnaLWLrhLDe9-N3CVPO=qcHWXZTqSettg@mail.gmail.com>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CAN6NTqwi62xGtLnjNtV-CDCBKBV1TVEsCjbGUvtf_nxmcZEapw@mail.gmail.com> <CAHPuVdWisdPS3ezBsGSyX7Uh7Yw3HHcTaHHz3y9xA+Fow7G4Yw@mail.gmail.com> <CAN6NTqwB8b1aFsZg=LnaLWLrhLDe9-N3CVPO=qcHWXZTqSettg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 20 Jul 2017 10:45:44 +0200
Message-ID: <CAHPuVdVGn0p9g5c-kXwmy_N2WtrGxDhcEG2mkxWyvh5XVTcMoQ@mail.gmail.com>
To: =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= <olafur@cloudflare.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c14a21e4213470554bbc6dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nq0-quSKOT0I2os1p7R6d_-jtog>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 08:45:48 -0000

On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson <olafur@cloudflare.com>
wrote:
>
>
> I disagree, if a zone operator selects "less-than" common algorithm they
> do that at their own risk,
> if the risk is not acceptable then it should dual sign....
>

Yes. The point I was trying to make is that DANE sites (and probably others
if they care about security) cannot afford to fail open. So they have to
dual sign if they can stomach the costs, or delay deploying new algorithms
for a long time. This draft is intended to (eventually) make the dual
signing case easier to deal with operationally.

-- 
Shumon Huque