IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Ben Schwartz <bemasc@google.com> Wed, 06 January 2021 20:48 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA2513A11A1 for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 12:48:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.971
X-Spam-Level:
X-Spam-Status: No, score=-17.971 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.373, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZ4EP2RcL66B for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 12:48:53 -0800 (PST)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DAF23A116A for <dnsop@ietf.org>; Wed, 6 Jan 2021 12:48:53 -0800 (PST)
Received: by mail-il1-x12d.google.com with SMTP id e7so4534008ile.7 for <dnsop@ietf.org>; Wed, 06 Jan 2021 12:48:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CZQUjLj2a9R3HfGK5liingNEcoNudyc+4OihjCLSc68=; b=YtQKbOP8YC5DCiUgoIXOg0hKBZ32t+8VgNt28lqFBz4YCXTZA9MXGWs47sPzzZj/SO VhBO7GEX5/mazkK0oiFr3mSQzgde4J3ajXupQ4MjqOcOkjPR230re8GpyeGGdOj/oyM/ yNpucEcFzIYdv075NevOVm2zIoiYP5gEYO/iML2wCb5kbQkkW5X+i/YUwErY/XFPtg46 iuBiIZfGAtETRpDTFjguxRHeIlP5wXjZGNBqX/vI+WXvcK9shC/j4pyrBS9FhQxCeC+J C8/2cahgIC7ujh8j7IunK+BJ+QMAiHD02JpFvY9YopkU+mNOIg0Floc2xHBChoqwNTh0 UjTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CZQUjLj2a9R3HfGK5liingNEcoNudyc+4OihjCLSc68=; b=Yl6DSr5Ch07NledLvEnpwNH+203nNZvCrxa+9UOJLGGzTyZrfXUCNOhDRlg7/E9/3v lL2WftQYGtPGzDMZNBV9tg/zSQGxI+LpzxFk1SKDaAzh5YXmvPGB8OAG7ZNn+/QkOUhc Cz7fEmI++ZHdHu7DlXv+9uRqynXDvp4h9graNOMStorun0v39grx+E0sXxQSwqcMF/oM j7s71IPMASLz+YeLPM2GQtDwFc63176vSMMuWwi372EahDVzS4VFOlpFfe+9vJgjSBNv OSxzrR+k9IWd3Fye4xwfVm3LQIziXe71U1YKvf1myI/sU3jg09lgXMjOwAf7IWzymym8 8m/A==
X-Gm-Message-State: AOAM533KBpDeJW9SaIEw7/vV5+X36l4HGZbS30NAfDpn0JzWPRx055xQ R2fKQNlqLLk/FW3LuDgyCCZEAtzs/6aMiAbwF+ZIobcfexc=
X-Google-Smtp-Source: ABdhPJx85fE6YdnQ7I/RW361C+5/I/DhKUvN/86Ll+1CsN9FlMNzMwr93+hLD8V8mmeHNPCzl0ULZ4TumC6hwdj8nn8=
X-Received: by 2002:a05:6e02:104b:: with SMTP id p11mr6048617ilj.241.1609966132244; Wed, 06 Jan 2021 12:48:52 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsDAMsXzAhcu35_GqL54JNF2jO-HhYWEZyE2VLP=V8dN5A@mail.gmail.com> <9F0E83E0-EAB1-4508-9D55-850294204BD2@hopcount.ca>
In-Reply-To: <9F0E83E0-EAB1-4508-9D55-850294204BD2@hopcount.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 06 Jan 2021 15:48:41 -0500
Message-ID: <CAHbrMsC+Et+iva-3Z1dqHn0HO_njhJT3q-gmoJcyopML_WDCWw@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000006ee30805b8417351"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yu1aJNWaC5StE-fHwPfFxMRv4II>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 20:48:55 -0000

On Wed, Jan 6, 2021 at 3:37 PM Joe Abley <jabley@hopcount.ca> wrote:

> On Jan 6, 2021, at 14:45, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
> wrote:
>
> > That model works well when (a) all validators implement an algorithm you
> like OR (b) you view each algorithm as either "definitely strong" or
> "worthless" (no middle ground).
>
> We are in scenario (b).
>

I think the long half-life of RSA-1024 is an example of a violation of
(b).  I bet there are many operators who view it as neither strong nor
worthless.  SHA-1 post-SHAtter is another possible concern.


> When you sign a zone you choose one or more algorithms that are
> individually sufficient. Their relative strength is not important.
>

I agree, that's what the RFCs effectively require, but it's not the only
possible arrangement.

...

> There's nothing practically preventing validators from applying local
> policy in the way they determine whether a response is authentic. Whether
> or not that's a good idea is an interesting question, but I think it's
> orthogonal to how individual RRSets are signed.
>

I don't think it is orthogonal.  The prevalent local validator policies
change the effect that zone owner choices will have, so zone owners need to
know what those policies are.

> Telling validators to "insist" that all signatures are valid would
> resolve this dilemma.  Zone owners could add algorithms without weakening
> anything.
>
> How do you deploy a new signing algorithm alongside an established one
> without going dark to users using validators that don't support it, in that
> case?
>

To clarify, I meant "all signatures under algorithms that are implemented
by the validator", i.e. "check everything you can".


>
>
> Joe

v2.23.0 | Report a Bug | By Email