Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
Frederico A C Neves <fneves@registro.br> Tue, 21 January 2020 16:31 UTC
Return-Path: <fneves@registro.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC206120044; Tue, 21 Jan 2020 08:31:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rg2SctnBWBD2; Tue, 21 Jan 2020 08:31:13 -0800 (PST)
Received: from clone.registro.br (clone.registro.br [200.160.2.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9E71201A3; Tue, 21 Jan 2020 08:31:12 -0800 (PST)
Received: by clone.registro.br (Postfix, from userid 1000) id 2CD4F59D13A; Tue, 21 Jan 2020 13:31:09 -0300 (-03)
Date: Tue, 21 Jan 2020 13:31:09 -0300
From: Frederico A C Neves <fneves@registro.br>
To: Shumon Huque <shuque@gmail.com>
Cc: Matthijs Mekking <matthijs@pletterpet.nl>, draft-ietf-dnsop-multi-provider-dnssec@ietf.org, "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-ID: <20200121163109.GC98497@registro.br>
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com> <CAHPuVdUUeLx59B0SrzmFazd_rqUm1kU-ARG-LBEYa4jFQyaH3Q@mail.gmail.com> <3fb01cba-9558-531c-5764-9c34b111545b@pletterpet.nl> <CAHPuVdWNAJbGm=j96149Sb9gig1QuAyCXyVbsZY0BzhpP_DV3g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHPuVdWNAJbGm=j96149Sb9gig1QuAyCXyVbsZY0BzhpP_DV3g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/x2-OIkPqGm15p_iVFTHGALn3l24>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 16:31:19 -0000
Hi Shumon, On Tue, Jan 21, 2020 at 10:05:56AM -0500, Shumon Huque wrote: > Hi Matthijs, > > Sorry, I did miss your original note on this point. Now that I've seen it, > I'm copying back dnsop@ietf.org to see if there are other comments on your > proposal. > > When the Algorithm Considerations section was originally written, I > intentionally did not prohibit the use of multiple algorithms across > providers (even though we recommended against it) for a very > pragmatic reason: I was actually working with 2 DNS providers that > supported disjoint algorithms (one RSASHA256 and the other ECDSAP256), and > was seriously contemplating deploying such a multi-signer configuration in > production. It would be a bit strange to deploy a configuration on the one > hand, and at the same time write a document that explicitly forbid that > configuration. > > You mention that authoritative servers cannot simply ignore the rule that > they must sign all RRsets in the zone with every algorithm in the DNSKEY > RRset. However, in practice it is clearly being ignored. Neither .SE or .BR > double signed their zone data during their algorithm rollovers and there > are other cases. Actually the algorithm rollover, following the liberal approach, is a pure double signing process. With TTLs tuned it is during a short interval but still double signing the zone. ftp://ftp.registro.br/pub/gts/gts32/01-br-algorithm-rollover.pdf > > As it turns out, the provider that only supported RSASHA256 exited the > managed DNS provider business, and the only vendors we are working with > currently all support our preferred algorithm (ECDSAP256) in common. Hence, > I am now open to updating the document to prohibit it. But will such text > cause aggravation for other potential deployers that may run into a similar > situation with other providers, and do we care? > > This also begs the question: should we (in another document) update RFC > 4035, Section 2 (last paragraph) to relax or eliminate the rule, if in fact > it is being ignored? I guess 6840 sec 5.11 already clarifies it. 4035 sec 2.2 is talking about signers. Fred > > Frankly, I've always been a bit perplexed by this text, since it has no > accompanying rationale. The only compelling rationale I see is downgrade > protection - to detect that someone hasn't stripped away the signatures of > a stronger algorithm and forced a validator to authenticate only the weaker > signatures. But that implies that validators have a documented procedure to > rank algorithms, which I haven't yet seen. Is a 3072-bit RSASHA256 key > stronger or weaker than an ECDSAP256SHA256 key for example, or Ed25519 vs > ECDSAP256SHA256? > > Shumon. > > On Tue, Jan 21, 2020 at 3:59 AM Matthijs Mekking <matthijs@pletterpet.nl> > wrote: > > > Hi Shumon, > > > > On 1/20/20 9:21 PM, Shumon Huque wrote: > > > 4: The document uses one inceanse of RFC2119 language (RECOMMENDED) - > > > please either drop this, or add the 2119 / 8174 boilerplate. > > > > > > > > > Ok, I'm inclined to lowercase it, since we don't use 2119/8174 keywords > > > anywhere else in this document. > > > > Did you see my mail related to this? If you are going with the lowercase > > approach, please use the word "must" instead of "should". > > > > Best regards, > > > > Matthijs > > > > > > -------- Forwarded Message -------- > > Subject: Re: [DNSOP] Working Group Last Call for > > draft-ietf-dnsop-multi-provider-dnssec > > Date: Mon, 13 Jan 2020 09:57:50 +0100 > > From: Matthijs Mekking <matthijs@pletterpet.nl> > > To: dnsop@ietf.org > > > > Late to the party, I am sorry. > > > > I am positive about this document, and support publication. I do have > > one comment on the document, requesting an update. > > > > In section 4 it is said it is RECOMMENDED that providers use a common > > signing algorithm. I think this is too weak and it must be a MUST. > > > > The reason given for RECOMMENDED is that the "liberal approach" works. > > The liberal approach says that authoritative zones MUST sign RRsets with > > every algorithm in the DNSKEY RRset, but validating resolvers don't have > > to enforce this requirement. However, that does not mean the > > authoritative server can simply ignore this rule. > > > > Also, if two different providers are using different algorithms, that > > means two DS records with different algorithms are distributed to the > > parent. And now the algorithm is signaled in the parent and a validator > > may execute the multiple algorithms protection check, expecting both > > chain of trusts to work. > > > > In other words, please adapt section 4 to be more strict when it comes > > to multiple algorithms. If you agree, I am happy to provide the > > suggested text. > > > > Again my apologies for bringing this up so late. > > > > Best regards, > > > > Matthijs > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] AD review of draft-ietf-dnsop-multi-provi… Warren Kumari
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Warren Kumari
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Warren Kumari
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Steve Crocker
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Frederico A C Neves
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Matthijs Mekking
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Tony Finch
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Matthijs Mekking
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Warren Kumari