IETF Logo Mail Archive

Re: [DNSOP] [Ext] More private algorithms for DNSSEC

Paul Hoffman <paul.hoffman@icann.org> Mon, 21 March 2022 19:32 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB6863A14ED; Mon, 21 Mar 2022 12:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ih1-Q326F7zK; Mon, 21 Mar 2022 12:32:08 -0700 (PDT)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82F1D3A14EC; Mon, 21 Mar 2022 12:32:08 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa5.dc.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 22LJW4uk010749 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Mar 2022 19:32:05 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Mon, 21 Mar 2022 12:32:03 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0986.022; Mon, 21 Mar 2022 12:32:03 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
CC: dnsop WG <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] More private algorithms for DNSSEC
Thread-Index: AQHYPVpXts2QLwWx3keZSJkaCdcXJA==
Date: Mon, 21 Mar 2022 19:32:03 +0000
Message-ID: <1D59C3FB-4FCC-4A03-8E13-EA6902B14D2A@icann.org>
References: <5C105C71-B18C-4366-94F5-E8D60970109C@icann.org> <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com>
In-Reply-To: <20B389EF-4909-43A0-9BC8-F57F5E332E8A@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_0914AF2C-0F46-4B2B-BE05-745C392D2525"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-21_08:2022-03-18, 2022-03-21 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tFLWwgklF_7IdLSW6HxuTOkoEk4>
Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 19:32:10 -0000

On Mar 21, 2022, at 11:34 AM, Wessels, Duane <dwessels=40verisign.com@dmarc.ietf.org> wrote:
> Is it in response to the DNS-OARC talk we saw about implementing PQC Falcon in PowerDNS, and they used the next unused algorithm number rather than a private algorithm?

Nils could have picked 253 but probably didn't even think of looking down to the bottom of the list. He was just following the time-honored pattern in the IETF. :-)

> If the authors of that work are on this list I would be interested to hear from them about that decision. In particular, would just having more private algorithms change their thinking or is something else needed?

They only needed one. This draft is for experimenters who need many at the same time. NIST has said that they are likely to later standardize on multiple post-quantum signature algorithms which will create larger payloads, and the DNSSEC community will have to decide if it wants just one of those, or many. Having a bit of experimental space for authoritative and recursive developers would be good, given that basically the entire range will be empty for centuries.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email