[DNSOP] Post quantum DNSSEC ?
"John R Levine" <johnl@taugh.com> Tue, 15 October 2019 19:11 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC45D12084F for <dnsop@ietfa.amsl.com>; Tue, 15 Oct 2019 12:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=F1YmZOq1; dkim=pass (1536-bit key) header.d=taugh.com header.b=3UC1qGui
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-9xlohiOKqT for <dnsop@ietfa.amsl.com>; Tue, 15 Oct 2019 12:11:35 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A597120855 for <dnsop@ietf.org>; Tue, 15 Oct 2019 12:11:35 -0700 (PDT)
Received: (qmail 34400 invoked from network); 15 Oct 2019 19:11:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=865d.5da619e5.k1910; i=johnl-iecc.com@submit.iecc.com; bh=b6PPhF4DTOoqLXTx+ZW5WswiZ60+O6ZtaRVIO50V2mY=; b=F1YmZOq11WiiIxmido54KVArZWPuvLUC/17Rfz51HdseVFmacAsfFtE7lxhLdh+zu7y/EpLimhe7Y2oN8ACARxb4n2oeTebfmrQhYt7uhMtPDX/mKwwt3y1BVP0vgznZw9ZBNIKvlV2xbHdOJ2q1TVH6QXPd8pZC2+6EcGF9DdLa5QdSsqCpckESqyxaoMO139vmI7kqMWIrjTXOUbyM2y6jPPNiTBgC9/poLsS0XBVB2XaLJFoExFcoVVVAWjzZ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=865d.5da619e5.k1910; olt=johnl-iecc.com@submit.iecc.com; bh=b6PPhF4DTOoqLXTx+ZW5WswiZ60+O6ZtaRVIO50V2mY=; b=3UC1qGuiEGr4dnupEM+jaYzBiU1rmKcDFcVHSb9JQ/KWIyufK3bwvuclVJn2fHJ4V6pqHcpviHt7nFYNjOmbpvKHmfIpP7vN5MPO64HsrZk40r5cc2utUuJ8fh4OKFA7dUVJvrIONMHlK6Xi9Ps2kGEk/3Rxxp0bHWZTotyx5FvNPgaY051QouDWFKVVbCpCA7rHf9zxSFSc2y4b+vCAZ0LvOdDQggCQbDQYUuJbHu9zjK49X5t4+6sUL1GpzTq4
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 15 Oct 2019 19:11:32 -0000
Date: Tue, 15 Oct 2019 15:11:32 -0400
Message-ID: <alpine.OSX.2.21.99999.368.1910151455580.75899@ary.local>
From: John R Levine <johnl@taugh.com>
To: dnsop@ietf.org
User-Agent: Alpine 2.21.99999 (OSX 368 2019-09-06)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/u_-Di8wF_BOaVI45Cr9R471fyRo>
Subject: [DNSOP] Post quantum DNSSEC ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2019 19:11:38 -0000
I just heard a most interesting talk at M3AAWG about postquantum crypto and particularly about the NIST candidate algorithms. Many of them have much larger key or signature sizes than any current algorithm, like 10,000 bits or more. Some are a lot slower than others. Has anyone been looking at how these algorithms would or would not work with DNSSEC? NIST is accepting comments and the talk said they particularly want comments from industry on how this would affect existing applications. I can imagine ways to make things work, e.g, hashes in some places rather than signatures, but I don't understand DNSSEC in enough detail to figure out what's a show stopper. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Post quantum DNSSEC ? John R Levine
- Re: [DNSOP] [Ext] Post quantum DNSSEC ? Paul Hoffman
- Re: [DNSOP] [Ext] Post quantum DNSSEC ? John Levine
- Re: [DNSOP] [Ext] Post quantum DNSSEC ? william manning