Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
"Michael H. Warfield" <mhw@wittsend.com> Mon, 10 July 2017 20:12 UTC
Return-Path: <mhw@wittsend.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C953D12ECCE for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 13:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.093
X-Spam-Level:
X-Spam-Status: No, score=-1.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysDA0cksUtU0 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2017 13:12:17 -0700 (PDT)
Received: from wittsend.com (romulus.wittsend.com [130.205.32.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADEEB13189D for <dnsop@ietf.org>; Mon, 10 Jul 2017 13:12:12 -0700 (PDT)
Received: from canyon.ip6.wittsend.com (canyon.ip6.wittsend.com [IPv6:2001:470:8:a48:3e97:eff:fe4d:9bc7]) (authenticated bits=0) by wittsend.com (8.15.2/8.15.2) with ESMTPSA id v6AKA2MX011627 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 10 Jul 2017 16:10:02 -0400
Message-ID: <1499717103.5817.19.camel@WittsEnd.com>
From: "Michael H. Warfield" <mhw@wittsend.com>
Reply-To: mhw@wittsend.com
To: Bob Harold <rharolde@umich.edu>, Shumon Huque <shuque@gmail.com>
Cc: "Michael H.Warfield" <mhw@WittsEnd.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Date: Mon, 10 Jul 2017 16:05:03 -0400
In-Reply-To: <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com>
References: <CAHPuVdUVQqvFZJFV4D88cg4fGfFqxnzAwj1VRr6oK7Y1n9hDUw@mail.gmail.com> <CA+nkc8BiSMSNqa9FifNAqWiZuf7prVjD6EKSnbFjq_EWi8kSoA@mail.gmail.com>
Organization: Thaumaturgy & Speculums Technology
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-BNVh4GXIVflUBCesnjIj"
X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25)
Mime-Version: 1.0
X-WittsEnd-MailScanner-Information: Please contact the ISP for more information
X-WittsEnd-MailScanner-ID: v6AKA2MX011627
X-WittsEnd-MailScanner: Found to be clean
X-WittsEnd-MailScanner-From: mhw@wittsend.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pzs8NaUntivwpci4lenxOe6RmkY>
Subject: Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 20:12:21 -0000
On Mon, 2017-07-10 at 13:50 -0400, Bob Harold wrote: > On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque <shuque@gmail.com> > wrote: > > Hi folks, ... > And perhaps a really dumb off-topic question: > I do not use DNSSEC yet, mostly due to time and effort, secondly due > to concern over the additional size and processing. Is it possible > for me to start with a new, rarely implemented, algorithm with > shorter records, that most resolvers won't understand yet, and have > those that don't understand it treat the zone as unsigned? Or will > it break everything? (Section 5 sounds like it breaks) There is not much at all involved in time or effort any more. I use to manually sign my zones but I've shift over to having "bind" just manage all my keysigning and I just update the zone and it happens. You just set up your initial keys and register your KSK (Key Signing Key) with your registraur (assuming they support it) and you should be good to go. Rolling your KSK's is still (cough) entertaining but not essential if you're just getting your feet wet. Some registraurs support this and some don't. Some will support DNSsec for the zones but then require you to "self host" your DNS (optionally slaving from your master). I self host and always have. I also use Hurricane Electric for additional slaves. They've gotten much better at DNSsec though they won't manage it for their hosted zones. DreamHost is another one that will support registration but you have to self host your master (which then becomes problematical if you want them to host your web site). If you want the hosting company to manage DNSsec for you, good luck. There are some registraurs (some very big ones) that still don't support DNSsec or only support it as a "premium" feature and you should just kick them to the curb. Over all, it's gotten a lot easier and really not a big deal. Biggest challenge is getting your IT department to spell DNSsec. :-P Mike > -- > Bob Harold -- Michael H. Warfield (AI4NB) | (706) 850-8770 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ ARIN whois: ARIN-MHW9 | An optimist believes we live in the best of all PGP Key: 0xC0EB9675674627FF | possible worlds. A pessimist is sure of it!
- [DNSOP] New draft: Algorithm Negotiation in DNSSEC Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Bob Harold
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Michael H. Warfield
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Mark Andrews
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Paul Wouters
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ted Lemon
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Stephane Bortzmeyer
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Ólafur Guðmundsson
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Willem Toorop
- Re: [DNSOP] New draft: Algorithm Negotiation in D… Shumon Huque
- [DNSOP] The DNSSEC club and surprises (was Re: Ne… Andrew Sullivan
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Tony Finch
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… George Michaelson
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Warren Kumari
- Re: [DNSOP] The DNSSEC club and surprises (was Re… Peter van Dijk