Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

"Michael H. Warfield" <mhw@wittsend.com> Mon, 10 July 2017 20:12 UTC

Return-Path: <mhw@wittsend.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C953D12ECCE for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 13:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.093
X-Spam-Level:
X-Spam-Status: No, score=-1.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysDA0cksUtU0 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 13:12:17 -0700 (PDT)
Received: from wittsend.com (romulus.wittsend.com [130.205.32.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADEEB13189D for <dnsop@ietf.org>; Mon, 10 Jul 2017 13:12:12 -0700 (PDT)
Received: from canyon.ip6.wittsend.com (canyon.ip6.wittsend.com [IPv6:2001:470:8:a48:3e97:eff:fe4d:9bc7]) (authenticated bits=0) by wittsend.com (8.15.2/8.15.2) with ESMTPSA id v6AKA2MX011627 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 10 Jul 2017 16:10:02 -0400
Message-ID: <1499717103.5817.19.camel@WittsEnd.com>
From: "Michael H. Warfield" <mhw@wittsend.com>
Reply-To: mhw@wittsend.com
To: Bob Harold <rharolde@umich.edu>, Shumon Huque <shuque@gmail.com>
Cc: "Michael H.Warfield" <mhw@WittsEnd.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Date: Mon, 10 Jul 2017 16:05:03 -0400
In-Reply-To: <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com>
Organization: Thaumaturgy & Speculums Technology
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-BNVh4GXIVflUBCesnjIj"
X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25)
Mime-Version: 1.0
X-WittsEnd-MailScanner-Information: Please contact the ISP for more information
X-WittsEnd-MailScanner-ID: v6AKA2MX011627
X-WittsEnd-MailScanner: Found to be clean
X-WittsEnd-MailScanner-From: mhw@wittsend.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pzs8NaUntivwpci4lenxOe6RmkY>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 20:12:21 -0000

On Mon, 2017-07-10 at 13:50 -0400, Bob Harold wrote:

> On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque <shuque@gmail.com>;
> wrote:
> > Hi folks,

...

> And perhaps a really dumb off-topic question:
> I do not use DNSSEC yet, mostly due to time and effort, secondly due
> to concern over the additional size and processing.  Is it possible
> for me to start with a new, rarely implemented, algorithm with
> shorter records, that most resolvers won't understand yet, and have
> those that don't understand it treat the zone as unsigned?  Or will
> it break everything?  (Section 5 sounds like it breaks)

There is not much at all involved in time or effort any more.

I use to manually sign my zones but I've shift over to having "bind"
just manage all my keysigning and I just update the zone and it
happens.  You just set up your initial keys and register your KSK (Key
Signing Key) with your registraur (assuming they support it) and you
should be good to go.  Rolling your KSK's is still (cough) entertaining
but not essential if you're just getting your feet wet. 

Some registraurs support this and some don't.  Some will support DNSsec
for the zones but then require you to "self host" your DNS (optionally
slaving from your master).  I self host and always have.  I also use
Hurricane Electric for additional slaves.  They've gotten much better
at DNSsec though they won't manage it for their hosted zones. 
DreamHost is another one that will support registration but you have to
self host your master (which then becomes problematical if you want
them to host your web site).  If you want the hosting company to manage
DNSsec for you, good luck.  There are some registraurs (some very big
ones) that still don't support DNSsec or only support it as a "premium"
feature and you should just kick them to the curb.

Over all, it's gotten a lot easier and really not a big deal.  Biggest
challenge is getting your IT department to spell DNSsec.  :-P

Mike

> -- 
> Bob Harold

-- 
Michael H. Warfield (AI4NB) | (706) 850-8770 |  mhw@WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
ARIN whois: ARIN-MHW9       | An optimist believes we live in the best of all
PGP Key: 0xC0EB9675674627FF | possible worlds.  A pessimist is sure of it!