Re: [DNSOP] Fwd: code points for brainpool curves for DNSSEC

Ólafur Guðmundsson <> Thu, 10 December 2015 00:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4C8001A21C7 for <>; Wed, 9 Dec 2015 16:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.078
X-Spam-Status: No, score=-1.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Fz4a3hcJvNXW for <>; Wed, 9 Dec 2015 16:33:09 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 93B0A1A21C3 for <>; Wed, 9 Dec 2015 16:33:09 -0800 (PST)
Received: by qgea14 with SMTP id a14so110752783qge.0 for <>; Wed, 09 Dec 2015 16:33:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=p9pbXC4qp8/++ze0GtL8BwIcmLTbdVkx7CBxrfAqG0c=; b=YQm2rvmQoM9aBbeSyXd+90+SCof+KmWU0hpFU2dmvldrmkKHQZQL4oDbmD0DZAzwiv AwenhSzY6rgj1czyN0Jo4F8tLBeSbJPHjlRyLKKQOfokZUka9F+uEsNQUfMWZ3CFnqHw a3EF+/yu+wi7HI5QqeAq4O77CnOOAtsaBp51s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=p9pbXC4qp8/++ze0GtL8BwIcmLTbdVkx7CBxrfAqG0c=; b=CXvQJCirZfEWbKCwJKECZdts5TSElHUnXGRajDfn/iIb6tbf8poAKGBhwjtbzsdcLU eRGm8u02ba0EBSzmhjxC38eFIP7rvKs10SfgJ62Zxwyhgo7WB3B/GyrBcphWy1NJPe1Y gu7uwPPshf5Bo1hX5RjNIz0rj0tLATMIZs/ie9X2VbUX0fXm+4O0MGRwNYQpsSIVGz5p +0J1DVVAq1LYjknHZDqqRI1A7eefsX+GeV1VZc6V9t1jffMchaGX6MlIjeXd5bYjdRzk WsGGdXLepoQ3/wA1F8NCJ4T/rAuQ7pg32p+19ezBeI09EjqYn+Z49FfqLw5nCwk573aO gsjg==
X-Gm-Message-State: ALoCoQlIBJLf6A0iScamVc1LsF3/RBi46Y0IFV9dglwXelM2/1atcpBuwnp8yC6YyApxm+R2OTHuwHtTW7/frQYf6a45XVmbMheP6Aq+Zc+UsCh4PodbO/M=
MIME-Version: 1.0
X-Received: by with SMTP id j126mr2836191ywc.172.1449707588794; Wed, 09 Dec 2015 16:33:08 -0800 (PST)
Received: by with HTTP; Wed, 9 Dec 2015 16:33:08 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Wed, 09 Dec 2015 22:33:08 -0200
Message-ID: <>
From: Ólafur Guðmundsson <>
To: Stephen Farrell <>
Content-Type: multipart/alternative; boundary="001a11490c62dbe5dd05268059f6"
Archived-At: <>
Cc: dnsop <>,
Subject: Re: [DNSOP] Fwd: code points for brainpool curves for DNSSEC
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 Dec 2015 00:33:12 -0000


Sorry for being so blunt below.

The document totally content free as to why this makes any sense in an
operational context.
DNSSEC algorithms should not be given out lightly as there is a significant
COST to deploy support for each additional algorithm.

While I strongly support having better ECC algorithm that the currently
specified curves, adding a new ones SHOULD take place via a performance
oriented process.
Thus I strongly advocate that this publication be held up until we can
compare this curve with other curves being proposed.

Background I'm currently fighting an multifaceted battle to have various
entities adding support for ECDSAP256, specified over 3 years ago.

Adding and deploying a new DNSKEY algorithm does not just require changes
-- DNS servers, libraries and resolvers.

That is just the top of the iceberg,  but also to
-  DNS provisioning systems, DNSSEC signing systems, DNS testing tools,
 - user interfaces for registrars, hosting providers, third party DNS
operators, CDN's,  etc.
 - TLD and ccTLD policy documents, EPP implementations, plus in some cases
security evaluations,
 - not to mention firewalls, network monitoring tools ....
 and number of other things I had no idea existed and majority of which is
not maintained anymore.

There are only so many times that one can get everyone's attention to
upgrade DNS stuff, thus requiring the change process to be run should not
be taken lightly.
If on the other hand if the editors are only interested in vanity algorithm
assignment without any deployment then ...........


On Wed, Dec 9, 2015 at 4:00 PM, Stephen Farrell <>

> -------- Forwarded Message --------
> Subject: code points for brainpool curves for DNSSEC
> Date: Wed, 9 Dec 2015 18:00:18 +0000
> From: Stephen Farrell <>
> To:
> Hiya,
> The brainpool folks have written an I-D [1] that they are pushing
> through the rfc editor's independent stream. [2]
> That I-D wants to register code points for using their curves for
> For documents that come through the independent stream, the IESG
> does an RFC 5742 [3] conflict review. The purpose of that review
> is to check that the RFC doesn't conflict with ongoing work in
> the IETF.
> If you have thoughts on this, please let me know before Dec 17th.
> I'll forward this to the dnsop, cfrg and curdle mailing lists
> to check there too. Apologies if you get >1 copy of this. Please
> try follow up on the saag list if you can.
> Thanks,
> Stephen.
> [1]
> [2]
> [3]
> _______________________________________________
> DNSOP mailing list