IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Joe Abley <jabley@hopcount.ca> Wed, 06 January 2021 20:37 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AEF53A11D5 for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 12:37:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYplg0zIuCZS for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 12:37:42 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15C243A110C for <dnsop@ietf.org>; Wed, 6 Jan 2021 12:37:42 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id z11so3729407qkj.7 for <dnsop@ietf.org>; Wed, 06 Jan 2021 12:37:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=lBVPAICUNuRaWE1UzznuIOMwee0Azi7/0aBtpa3RWvc=; b=FP9N/GLPjZjp2GwY+ZhSNvbLP1O+XTGONB69+39+cjE6n98MJR+dgbP0drb32mGdjD Tw4rZrvXst+tFCEozAdYQZARsLgbxLHilu5WkyA822OZtrSJ3s6ije0fQeb/WLiKVZSL HX/fvwD/SfU4DiIrwWWM/rW4MLZkpQUSmvhEM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=lBVPAICUNuRaWE1UzznuIOMwee0Azi7/0aBtpa3RWvc=; b=rYC4ohzEoDFpG3eZboENw3l03U0Y4XqFJQK3jtarg9coHvsFr84Yi2B6nu6mjJ+1gp +Reqg2UknfZ0hKCsl+Alt7EaOY0TepwdHGfaTrznX+bI7J2gnivcrtEZt2kxoJvPnlOw BUu8+Q75JsEANwhV3Y53eJd1eZrjnhwuIERRNKWT38z2VVBcGS3xRM+7MTh3ngS/aUGe 86qrgIEOaqzueHOIxZw8/XW5YWAx9twMh2v9mp98wzhBT67EhXZNHF8KmEiWbVkeO1Ho /PYBIfVX9ygBLUblQhHK8KREElSvyuM2XzeKhwVwQ1tQFu2xTkBBB3UPHlvRQVHq+eB+ QHsA==
X-Gm-Message-State: AOAM530W8FVsueBCY+DnqtGALfFBnq5vHM59eeXoL5ivJJwBFNo+8F5b jkpX3RNRk2mgrxVasXvUFbmYE2UbJva0YQAfuYg=
X-Google-Smtp-Source: ABdhPJwCj/4/E+yMS3HmeSTRP1Ge9VHyWGQqLWNHS+nn2wlT9PpqmxozcftNdbMYkMSYhoEMBfAktw==
X-Received: by 2002:a37:a64b:: with SMTP id p72mr6337785qke.304.1609965460728; Wed, 06 Jan 2021 12:37:40 -0800 (PST)
Received: from ?IPv6:2607:f2c0:e784:c7:1582:4a06:dc1:5da4? ([2607:f2c0:e784:c7:1582:4a06:dc1:5da4]) by smtp.gmail.com with ESMTPSA id y22sm2006460qkj.129.2021.01.06.12.37.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 06 Jan 2021 12:37:39 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
Date: Wed, 06 Jan 2021 15:37:38 -0500
Message-Id: <9F0E83E0-EAB1-4508-9D55-850294204BD2@hopcount.ca>
References: <CAHbrMsDAMsXzAhcu35_GqL54JNF2jO-HhYWEZyE2VLP=V8dN5A@mail.gmail.com>
Cc: Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
In-Reply-To: <CAHbrMsDAMsXzAhcu35_GqL54JNF2jO-HhYWEZyE2VLP=V8dN5A@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18C66)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sG-lAXYH349YPwwIHs20ibVR1VE>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 20:37:43 -0000

On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:

> That model works well when (a) all validators implement an algorithm you like OR (b) you view each algorithm as either "definitely strong" or "worthless" (no middle ground). 

We are in scenario (b).

When you sign a zone you choose one or more algorithms that are individually sufficient. Their relative strength is not important.

> Otherwise, the zone owner has a dilemma.  Should I protect fewer users with higher confidence, or more users with lower confidence?  I think that is the sticking point in this conversation.

I think zone owners are not protecting anybody; they are including a means to gauge authenticity in their responses so that validators can protect users.

There's nothing practically preventing validators from applying local policy in the way they determine whether a response is authentic. Whether or not that's a good idea is an interesting question, but I think it's orthogonal to how individual RRSets are signed. 

> Telling validators to "insist" that all signatures are valid would resolve this dilemma.  Zone owners could add algorithms without weakening anything.

How do you deploy a new signing algorithm alongside an established one without going dark to users using validators that don't support it, in that case?


Joe

v2.43.4 | Report a Bug | By Email | System Status