Re: [DNSOP] Interest in moving forward with draft-york-dnsop-deploying-dnssec-crypto-algs ?

Bob Harold <> Fri, 02 November 2018 18:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 104C9130DDC for <>; Fri, 2 Nov 2018 11:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 29c1LeOeM-Vw for <>; Fri, 2 Nov 2018 11:15:13 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9159C124C04 for <>; Fri, 2 Nov 2018 11:15:13 -0700 (PDT)
Received: by with SMTP id x85-v6so2547742ljb.2 for <>; Fri, 02 Nov 2018 11:15:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tjFPci4v5vgRfYJzZx8vnmF0TFA86YDABWSVGjTxPxk=; b=dmXPVd2fW7rPIodfhkuqJ9I3xDmGKYDRdKT83+9yNgUnYNsHPgyog+maQLb0/Sdzam WG7aDYvqn1WHAgubFxfyOT6DlgmU5+Wqtu3Lx4Fnslpulc56UP4JvezpteLdWA7eSXDA pItZc3TF4PGzM2OhVnnN9z8b1gnfV1am0ooeeYm737R6zPKC36IkSCCYSv2/LFbfsXx7 BWntfBuOjX4Oh8lIatzq2ND0XC6N2hZX9RNZj54qk2p3G0f+vbAgRYcbsE2O6UG2A4Xz gS+Zybw8LCn5nXj9anfJP9MhaVlX14+9P0azUZIRMyiqurf4IbA+ACO/HYTmbLxs+zg/ tKTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tjFPci4v5vgRfYJzZx8vnmF0TFA86YDABWSVGjTxPxk=; b=dRe00YeN7QhXiCkf/7K0wld7NaSko3j2OXPd/CiAbcxRm/92f5W9GgYgLTodcu5g7C i5Lu0wL2WI61Cv6WJrR2Jqz3srH1D6/uESaxGBpK2jHYAw+90rHIkVoGuoXbiH5t91pk gtwouAnwsT5bW538aVLVFb3mUP0jBEWj4JWgRaoQS8tU38NUcdVoQIKphEfzZOjtsJaN PH/eRq/6mFSXaf82tnI3gO2eZFl/nFztgaffeEVgQYMu7OpE5XW4hLU4I9h+UsCNFY6w 7OZO/19RDhq4bvZIH8GeHf5weEnVkLmWCUt5AOSaZZFTLNNncol8NTiBEkjB5ToacmGw mBgQ==
X-Gm-Message-State: AGRZ1gKZzcJqsR6TOb+JvTL/vzohWFZcHuuA4SVc+q49hlPyMHu5Y/fy Y5LdUSCWZzPhjZuNC5qojBQDDw0rsiceeqWqNS66zzym
X-Google-Smtp-Source: AJdET5e9l7vXPW44wAbA7bwxA2FZrdGw7PUBwfou55qn17IpLlRwEPSufsFHS07bWL09P/0C88M9xdKh6V45tlXNEGg=
X-Received: by 2002:a2e:9b84:: with SMTP id z4-v6mr508074lji.93.1541182511371; Fri, 02 Nov 2018 11:15:11 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Bob Harold <>
Date: Fri, 02 Nov 2018 14:15:00 -0400
Message-ID: <>
To: Dan York <>
Content-Type: multipart/alternative; boundary="0000000000002010090579b284f2"
Archived-At: <>
Subject: Re: [DNSOP] Interest in moving forward with draft-york-dnsop-deploying-dnssec-crypto-algs ?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Nov 2018 18:15:17 -0000

On Fri, Nov 2, 2018 at 1:38 PM Dan York <> wrote:

> During the time leading up to the Root KSK Rollover on October 11, I had
> multiple people from outside of DNS circles asking me why DNS was so hard
> to upgrade. Basically - why was this Root KSK Rollover such a big concern?
> I recalled the draft a few of us wrote a bit ago with observations on the
> challenges of deploying DNSSEC cryptographic algorithms:
> While we originally wrote that draft to feed into some of the KSK rollover
> design discussions that were happening, it occurred to me that it might be
> useful to have out there and available in some public form for people to be
> able to find and refer to.
> Is there interest from this group in moving this draft forward?  And if
> so, do people have comments on what is in the draft?
> Thanks,
> Dan
> P.S. There are certainly other places this kind of document could be
> published. For instance, I could turn that into a short paper we publish on
> the Internet Society's website in the Deploy360 section. But there is also
> a logical value to including it along with the other DNSSEC documents in
> the RFCs.
> --
> Dan York
> Director, Content & Web Strategy, Internet Society
>   +1-802-735-1624
> Jabber:  Skype: danyork
Looks good to me.  I have no strong opinion on where it should be
published.  If published somewhere other than as an RFC, you might add some
current statistics on old versions of software in use and how many things
never get updates to illustrate how bad the problem is.

Bob Harold