IETF Logo Mail Archive

[DNSOP] Re: New draft on collision free key tags in DNSSEC

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Wed, 31 July 2024 11:51 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C81B8C151076 for <dnsop@ietfa.amsl.com>; Wed, 31 Jul 2024 04:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fT0pAVYKosfi for <dnsop@ietfa.amsl.com>; Wed, 31 Jul 2024 04:50:58 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C88DC14F6A7 for <dnsop@ietf.org>; Wed, 31 Jul 2024 04:50:58 -0700 (PDT)
Received: from [IPV6:2001:1488:fffe:6:1fc0:f0f0:de9d:db7a] (unknown [IPv6:2001:1488:fffe:6:1fc0:f0f0:de9d:db7a]) by mail.nic.cz (Postfix) with ESMTPSA id 1E4351C11DE; Wed, 31 Jul 2024 13:50:54 +0200 (CEST)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=vladimir.cunat@nic.cz smtp.mailfrom=vladimir.cunat+ietf@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1722426654; bh=zDnDTsu0j+4+6gmZ+Q8hhajzN9nlb+0kyv5wX1vjDYM=; h=Date:Subject:To:References:From:In-Reply-To:From:Reply-To:Subject: To:Cc; b=pjVdEcjk0akYakCTaUwq0AfiiYPoIZW8hK9/073Mh506FL1WM118jdcMSehLPAuNM HjEvZWo3Ighzm1oIObc/A9KHJ82beMleEuUPVIf01nBuSj1i9xx9QTc/MocUcUhc4i KG9h676tfiUXVfEC5FUAHzrWg/c7lPSzA74JoZV0=
Content-Type: multipart/alternative; boundary="------------aq69AHThuLQH7lBOqAjzJqe0"
Message-ID: <402049f4-6156-4ecc-9e0c-8e3135219351@nic.cz>
Date: Wed, 31 Jul 2024 13:50:53 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "libor.peltan" <libor.peltan@nic.cz>, Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <CAHPuVdUveYraaGtrGveKTiLgP1L19G6g6=bsKsHjsPsP5fkiXg@mail.gmail.com> <774ab370-5d66-4c0d-b0a4-6d9e9cec2549@nic.cz>
Content-Language: cs, en-US
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <774ab370-5d66-4c0d-b0a4-6d9e9cec2549@nic.cz>
X-Virus-Scanned: clamav-milter 0.103.10 at mail
X-Virus-Status: Clean
X-Spamd-Result: default: False [0.90 / 20.00]; R_MIXED_CHARSET(1.00)[subject]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; ARC_NA(0.00)[]; WHITELISTED_IP(0.00)[2001:1488:fffe:6:1fc0:f0f0:de9d:db7a]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:25192, ipnet:2001:1488::/32, country:CZ]; FROM_EQ_ENVFROM(0.00)[]; TAGGED_FROM(0.00)[ietf]; FROM_HAS_DN(0.00)[]; FREEMAIL_TO(0.00)[nic.cz,gmail.com,ietf.org]
X-Rspamd-Action: no action
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 1E4351C11DE
X-Spamd-Bar: /
X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: WHITELISTED_IP
Message-ID-Hash: 7WLCVS2RD4BZ2JBNU3GNIDQFML5YIYEP
X-Message-ID-Hash: 7WLCVS2RD4BZ2JBNU3GNIDQFML5YIYEP
X-MailFrom: vladimir.cunat+ietf@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vQlWOqB7ZfQpUEBvz38BzjUWNmA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 30/07/2024 09.41, libor.peltan wrote:
> Anyway, it can realistically take decades before any new algorithms 
> seize some good portion of DNSSEC. In other words, that flag day has 
> already silently passed.

I don't think that's a helpful point in time.  I assume the main target 
of this RFC is defending against intentional DoS attacks, and the 
attackers will choose what's best for them.  That is, the usefulness 
horizon here would be when all other algorithms can be reasonably marked 
as unsupported by validators, so that's even further in future.  (but 
the achievable length is hard to predict, depends on motivation of 
various parties)

v2.39.1 | Report a Bug | By Email | System Status