Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Jim Reid <> Mon, 04 January 2021 16:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 645BF3A0E2E for <>; Mon, 4 Jan 2021 08:05:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[KHOP_HELO_FCRDNS=0.009, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wOeO5CnK-FpV for <>; Mon, 4 Jan 2021 08:05:34 -0800 (PST)
Received: from ( [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 821CA3A0E29 for <>; Mon, 4 Jan 2021 08:05:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2740E2421481; Mon, 4 Jan 2021 16:05:32 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jim Reid <>
In-Reply-To: <>
Date: Mon, 04 Jan 2021 16:05:31 +0000
Cc: dnsop WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
To: Stephen Farrell <>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Jan 2021 16:05:36 -0000

> On 4 Jan 2021, at 15:27, Stephen Farrell <> wrote:
> On 04/01/2021 14:23, Paul Wouters wrote:
>> On Mon, 4 Jan 2021, Stephen Farrell wrote:
>>> WRT GOST, we're not really talking about an algorithm but
>>> rather a national crypto standards scheme that selects sets
>>> of algorithms. For such things, whether from Russia or the
>>> US or anywhere, I think it's quite fair to ask "how has
>>> version N deployment gone?"
>> Why is that fair? 
> Eh? Seems to me that asking about the facts is fair.

It’s a bit odd to be asking about fairness now. [Better late than never I suppose.] IIRC nobody asked about usage when typecodes got issued for DNSSEC algorithms - until now. It was just assumed, perhaps wrongly, they would be used.

However I think you’re conflating two different things Stephen. This I-D is a sensible and pragmatic solution to a real problem. Mandating a standards-track RFC to get a new DNSSEC type code is unreasonable. [Dare I say unfair? :-)] So let’s fix that.

The question of whether a new DNSSEC crypto algorithm will get used/supported or not can be discussed as and when there’s an I-D proposing to adopt one. And of course there’s a meta-discussion to be had about how/where that discussion takes place. IMO some sort of lightweight expert review process like the one used for RR typecode allocation seems appropriate. It doesn’t necessarily follow that writing up such an (Informational?) RFC guarantees an IANA type code allocation. YMMV.

BTW, does anyone ask usage questions before typecodes get allocated for algorithms/modes used in TLS crypto?

I suport WG adoption of draft-hoffman-dnssec-iana-cons and am willing to review it. Maybe there needs to be another I-D to document the process for adding and deprecating DNSSEC type codes?