Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update

Paul Wouters <paul@nohats.ca> Thu, 02 March 2017 18:00 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8C8E129598 for <dnsop@ietfa.amsl.com>; Thu, 2 Mar 2017 10:00:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Yixh6JKAfLt for <dnsop@ietfa.amsl.com>; Thu, 2 Mar 2017 10:00:39 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 158E1129594 for <dnsop@ietf.org>; Thu, 2 Mar 2017 10:00:39 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3vZ0Tv0vH9z1x3 for <dnsop@ietf.org>; Thu, 2 Mar 2017 19:00:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1488477635; bh=bhX228Wby3jKcPnGFeCB3Kld/xL+MHF7FPaq5eBzit4=; h=Date:From:To:Subject:In-Reply-To:References; b=tpZIKRYo8YYDBV+3qvX5KAJLuHHdC/3KVfIxiwojDaV6aq2893lGThQ7HTS0CcpMD kyTplmKRrF5QKlekqIG5HQLu7HqS9zrJ8JXGOEzB4y93Kbn4Iefdn9uNOVy0K2SMvX gHug7R0vdMG8GY/lylnWYrN3rm84SW4V0PuLePR4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 1WCSAECnmW2Y for <dnsop@ietf.org>; Thu, 2 Mar 2017 19:00:31 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Thu, 2 Mar 2017 19:00:31 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 805B3227094; Thu, 2 Mar 2017 13:00:30 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 805B3227094
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 7A144420AC94 for <dnsop@ietf.org>; Thu, 2 Mar 2017 13:00:30 -0500 (EST)
Date: Thu, 2 Mar 2017 13:00:30 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <76B12F6D-9D53-4FEB-974D-BB4D6DB02F0B@dnss.ec>
Message-ID: <alpine.LRH.2.20.1703021223170.10405@bofh.nohats.ca>
References: <78013346-6100-f7e6-a3c8-87d2f92533d8@gmail.com> <F40B69DF-6391-4008-A7CD-C85277952D8A@dnss.ec> <alpine.LRH.2.20.1702281627360.22841@bofh.nohats.ca> <920390D7-BFF8-4680-B2D8-488777671DCA@dnss.ec> <alpine.LRH.2.20.1702282052220.28866@bofh.nohats.ca> <AC4C0368-1454-4718-95AF-BB4DDECEF17E@dnss.ec> <alpine.LRH.2.20.1703011221400.15273@bofh.nohats.ca> <76B12F6D-9D53-4FEB-974D-BB4D6DB02F0B@dnss.ec>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/shDC60j6CYqQuO8A6UXL67pONq4>
Subject: Re: [DNSOP] Call for Adoption draft-wouters-sury-dnsop-algorithm-update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 18:00:41 -0000

On Thu, 2 Mar 2017, Roy Arends wrote:

> Implementer should follow spec. Spec sez MUST or SHOULD.

Implementers may decide to implent some algorithms and not some others,
depending on the level.

> Now it says MUST- MUST+ MUST SHOULD- SHOULD+ and SHOULD. Very confusing.

I understand _you_ find it confusing. It has been used for years in the
ipsec working group without having caused confusion.

> Which one should be implemented?

Saving you the time to re-read Section 1.2 and Section 2:

    SHOULD+   This term means the same as SHOULD.  However, it is likely
              that an algorithm marked as SHOULD+ will be promoted at some
              future time to be a MUST.

    SHOULD-   This term means the same as SHOULD.  However, an algorithm
              marked as SHOULD- may be deprecated to a MAY in a future
              version of this document.
    MUST-     This term means the same as MUST.  However, we expect at
              some point that this algorithm will no longer be a MUST in a
              future document.  Although its status will be determined at
              a later time, it is reasonable to expect that if a future
              revision of a document alters the status of a MUST-
              algorithm, it will remain at least a SHOULD or a SHOULD-.


MUST+ is something you made up, but if you have any divine algorithms
to share, maybe we can do something :P

> How do I add a grade of importance to specific algorithms, while the protocol itself doesn’t care.

I don't understand this remark.

What the + and - symbols are conveying is a likely trend. It is an
effort to ramp up secure algorithms more quickly and to make the long
tail shorter. Without being naive and writing in flag days into RFCs
that implementers are forced to ignore. If we write MUST NOT for SHA1
one, it would be extremely damaging to the current deployment.

You indicated you find this useless. That's fine. If the majority of
the WG agrees with you, we can remove it. I think it will make the
document less informative to implementers.

> DNSSEC has no signalling which algorithm is more or less important in the future.

Which seems to only be a reason in favour of describing this in the RFCs
for implementers?

>> Well, secspider is pretty good?  http://secspider.verisignlabs.com/stats.html
>> 
>> 1,641,133 	Production DNSSEC-enabled zones
>> 
>> RSASHA1-NSEC3-SHA1	1,320,540
>> RSA/MD5			21
>> RSA/SHA-1 [RSASHA1]	123,575
>> RSA/SHA256 [RSASHA256]	2,332,855
>> 
>> Number of keys does not directly map to number of zones (we have 3.6M
>> keys and 1.6M zones) but this shows 1/3 of the keys are still using
>> SHA1.
>
> Okay, so you did make it up.
>
> 1/3 is not 1/2.

There are people willing to break 1/3 of the internet but not willing to
break 1/2 of the internet?

> How many of those SHA1 keys are used in conjunction with non-SHA1? That is, how many would still be secure when SHA1 is ignored?

Yes, it is theoretically possible that the 1.3 million keys with SHA1 that
are currently deployed are in a zone that is currently in the process of
an algorithm rollover with SHA2. Maybe we can ask Geof since secspider
does not log this.

> Again, how many zones does it affect when most of them have SHA2 as well?

"Do you have the data or are you making this up"

> The damage I’m trying to avoid is the false sense of security you are inflicting by not taking the proper action.

The proper action being to make millions of zones lose SHA1 based DNSSEC
protection and leaving them vulnerable to simple DNS spoofing that does
not take 6500 CPU years?

You are afraid this document obsoletes too slowly, yet we have vendors who
says this document is moving way too quickly and they will never ever
remove anything. As an author, it is not my goal to produce a document
that has to be ignored.

> It is because the lack of action from specs like these that BIND-9.11.0 still ships with SHA1 defaults:

Hmm. If you look at algorithm selection in Section 3.1, you can see SHA1
based algorithms listed as MUST- and SHA256 based algorithms listed as
MUST. So our +/- signaling would actually be a great way for
implementers to decide that RSASHA256 is a better default then RSASHA1.

And had we both had to list them as MUST without any qualifier,
implementers wouldn't have been given that guidance.

Paul