Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :)

Paul Wouters <paul@nohats.ca> Thu, 09 September 2021 16:05 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 549393A1A92 for <dnsop@ietfa.amsl.com>; Thu, 9 Sep 2021 09:05:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PN36--6cSNHH for <dnsop@ietfa.amsl.com>; Thu, 9 Sep 2021 09:05:05 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DACB3A1A90 for <dnsop@ietf.org>; Thu, 9 Sep 2021 09:05:05 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4H53jy3rQdz3mj; Thu, 9 Sep 2021 18:04:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1631203494; bh=+CURq/qrrToscRZxidsIVjy9y63cd4bZcFR+S89U1HY=; h=Date:From:Reply-To:To:cc:Subject:In-Reply-To:References; b=cfqcxS4z4CWNid7JEGNc0549D/thDudh+jocuiTPYHVlPSV9bmxAHNFUtN4pA3TyT zd0JxTUkd2/lAOvjklPIWfkuEdB7SwgX5wdwijYmK0+i3j6qdo0CLg0DT/bOIRwe5S /wm/ZMpAlb5PKEYEJ7weIGrdXNazWwSBVOrP+xMY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id oJlTy13CwUJf; Thu, 9 Sep 2021 18:04:52 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 9 Sep 2021 18:04:52 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 50DD0F75B4; Thu, 9 Sep 2021 12:04:51 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4DC1BF75B3; Thu, 9 Sep 2021 12:04:51 -0400 (EDT)
Date: Thu, 09 Sep 2021 12:04:51 -0400
From: Paul Wouters <paul@nohats.ca>
Reply-To: /dev/null@nohats.ca
To: Paul Hoffman <paul.hoffman@icann.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <F323FF7D-0022-4A9B-9B45-1356464ABE67@icann.org>
Message-ID: <4734e0b9-c8ad-29ef-c63b-58c459b7e31e@nohats.ca>
References: <262ce7f3-fb31-172d-e920-629da9c1e681@nohats.ca> <F323FF7D-0022-4A9B-9B45-1356464ABE67@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sFASg7eZ9EiYkF9ZC_j90v88TKI>
Subject: Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 16:05:12 -0000

On Thu, 9 Sep 2021, Paul Hoffman wrote:

> On Sep 9, 2021, at 8:28 AM, Paul Wouters <paul@nohats.ca> wrote:
>> This is hinted strongly at in 2006:
>>
>> 	https://datatracker.ietf.org/doc/html/rfc4509#section-6.2
>>
>> and even stronger via a MUST NOT in 2019's RFC 8624:
>>
>> 	https://datatracker.ietf.org/doc/html/rfc8624#section-3.3
>
> RFC 8624 is implementation guidance, not deployment guidance. This WG discussed at length whether to include deployment guidance (particularly for weaker algorithms like SHA1) and concluded that we didn't want to do that. You should know this, given that you are co-editor of RFC 8624.

It seems that if we tell implementors to MUST NOT implement, that it
would be very unwise to still create new records of this type? Unless
we specifically want to test being part of the long tail of obsolete
deployments as a standards body.

>> What's the process for requesting the SHA-1 based DS record deletation for .arpa?
>
> Did you first ask the administrators of the zone in question before sending this message to a grooup that has no administrative power over the zone?

No, I used this group as the umbrella contact, as I assumed the
knowledgeable people are here. But it seems instead I found a grumpy
person who seems to know the process better than me but prefers
yelling into the cloud more than educating me.

Paul