Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-multi-provider-dnssec

Matthijs Mekking <> Mon, 13 January 2020 08:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 67A6812008B for <>; Mon, 13 Jan 2020 00:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.596
X-Spam-Status: No, score=-2.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mtyas5syrwjW for <>; Mon, 13 Jan 2020 00:57:57 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F2C21120013 for <>; Mon, 13 Jan 2020 00:57:56 -0800 (PST)
Received: from [IPv6:2001:980:4eb1:1:8cc2:8303:1aac:3384] ([IPv6:2001:980:4eb1:1:8cc2:8303:1aac:3384]) by with ESMTPSA id qvXii0oHPT6sRqvXjiSpxX; Mon, 13 Jan 2020 09:57:53 +0100
References: <>
From: Matthijs Mekking <>
Message-ID: <>
Date: Mon, 13 Jan 2020 09:57:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfFxnQnz60o8DVG7W0rQpa3gaHD7lajtqT7YOQaoNoo9xnuJTzrMQt16o5UtFH8ztszeARxg+dPIGXlqzNVXCMbqV375FG3CAMFc1zzp1aBMxVdz7C2f5 hW6ZwLGFus7qhYKBAVUaZvB0d4NhVrKfYGIp4HIjfyqiEeXtkGzDPmNW3YEOLR4HI4wYxfsDdbx2jG6szPm+/GgPAGM48miYDxF/WUpaS5KD0LzZhaBuP/hq OIw8f2rrWEtilxJyIRcD1clOhKZDM3KxIlAZEXVrv6g=
Archived-At: <>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-multi-provider-dnssec
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jan 2020 08:57:59 -0000

Late to the party, I am sorry.

I am positive about this document, and support publication. I do have
one comment on the document, requesting an update.

In section 4 it is said it is RECOMMENDED that providers use a common
signing algorithm.  I think this is too weak and it must be a MUST.

The reason given for RECOMMENDED is that the "liberal approach" works.
The liberal approach says that authoritative zones MUST sign RRsets with
every algorithm in the DNSKEY RRset, but validating resolvers don't have
to enforce this requirement. However, that does not mean the
authoritative server can simply ignore this rule.

Also, if two different providers are using different algorithms, that
means two DS records with different algorithms are distributed to the
parent. And now the algorithm is signaled in the parent and a validator
may execute the multiple algorithms protection check, expecting both
chain of trusts to work.

In other words, please adapt section 4 to be more strict when it comes
to multiple algorithms. If you agree, I am happy to provide the
suggested text.

Again my apologies for bringing this up so late.

Best regards,


On 10/31/19 4:47 PM, Tim Wicinski wrote:
> This starts a Working Group Last Call for
> draft-ietf-dnsop-multi-provider-dnssec
> Current versions of the draft is available here:
> The Current Intended Status of this document is: Informational
> FYI, I will not shepherd this document, as it was written with several
> of my coworkers.
> Benno Overeinder will be Document Shepherd. 
> Please review the draft and offer relevant comments.
> If this does not seem appropriate please speak out. 
> If someone feels the document is *not* ready for publication, please
> speak out with your reasons.
> If there are normative issues, agenda time at IETF106 will be set aside
> to address them
> This starts a two week Working Group Last Call process, and ends on:  15
> November 2019
> thanks
> tim
> _______________________________________________
> DNSOP mailing list