IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

John R Levine <johnl@taugh.com> Tue, 27 February 2024 22:58 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94ADC151091 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 14:58:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="plsz0+R2"; dkim=pass (2048-bit key) header.d=taugh.com header.b="A6WG5Uqg"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDRkP6lCFj4q for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 14:58:51 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D027C151090 for <dnsop@ietf.org>; Tue, 27 Feb 2024 14:58:51 -0800 (PST)
Received: (qmail 76148 invoked from network); 27 Feb 2024 22:58:37 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=1297265de691d.k2402; bh=AlSxrXjyEgGqKC8pLG6z3ETU/GxM5K3RKuAxh0wSQ5A=; b=plsz0+R2YYPHKc8Fc+oW89cOkDfaIqu8TMZ6SexaHnXfMJso2qdrGSh+H6LYJPFSaf2IZtyu9N8lGXDv7XVF1KJ4gRZmGvFU5oZBD3k/OyTCWSLtIA4/PAkazOISWcQq6Nf8GzShPkLI+gl6a5jaiSvbzHMeGL9mIrMNFqyCUPzVNzDWeGC9tbDRWpRbwmeXicGlNuSL8Mklw5UxGEbLxG2UPbJBJi9UK6Zok9rAhWzXep0BglVD87DDwD5hHFeHX6h1vcIpZIpCgLz/hRQDqYWBjbEfXcHX2U/Qm3gjqBppUVm894DSVkeQeeNDEf8jFzHQohyu8s96GblKtlzkaQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; s=1297265de691d.k2402; bh=AlSxrXjyEgGqKC8pLG6z3ETU/GxM5K3RKuAxh0wSQ5A=; b=A6WG5UqgLzCeAR8hmQPzW6G/5EP0EzLaBB5Aj2DmI/w0IjQBonSHnJt6S9ig/n2O060Cps51CSapszWmJ47iP3uDKxOyok5oiEGc4TsBLL3fuVlw8IENe22GpxHpD1bCpZOOXQ9PgwY3n6weeioeZflZu6wdDSNd2gL5DgZf24m9GL5BCAuYMpSHIsHJ+mrBHmJwNkJtcWClI+8ya6OmWLqxMhx239c/oZ1i0MhHj3H5RuT6UipmtsGhfazbvYGPXuoDIoda9N3GAdE5jL5NTAn2IZs9/iCvFokiOnZ4O8itsXQ0Y3jB9EJho9VUBYCML+J2bQfNkHyudnCAoLxolg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 27 Feb 2024 22:58:37 -0000
Received: by ary.qy (Postfix, from userid 501) id 0AAEA8410DE6; Tue, 27 Feb 2024 17:58:36 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id CF3228410DC8; Tue, 27 Feb 2024 17:58:36 -0500 (EST)
Date: Tue, 27 Feb 2024 17:58:36 -0500
Message-ID: <a515dbd0-7789-00a2-8249-785fc748e4d4@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Mark Andrews <marka@isc.org>
Cc: dnsop@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <447E01C7-C245-4BA3-88C7-AF847B50047A@isc.org>
References: <20240227220905.E06018410007@ary.qy> <447E01C7-C245-4BA3-88C7-AF847B50047A@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zB459LSjjoc0RAwWO7jk4Mdu7is>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 22:58:56 -0000

>> The kind of load is different but in each case the client needs to
>> limit the amount of work it's willing to do. We can forbid it in the
>> protocol but unless you have better contacts at the Protocol Police
>> than I do, people will do it anyway.
>
> If you forbid in the protocol the tools will be fixed to prevent it
> occurring when signing and the validators don’t have to be prepared
> to play trial and error when there are duplicate tags in a DNSKEY
> RRset. ...

That's all true, but people will publish them anyway, so the tools need to 
defend against them no matter what the protocol says.  Based on what I've 
seen, pairs of colliding tags appear innocently, larger numbers don't, so 
you set the limit in the single digits.

Is it really so much harder to write code that allows, say, three 
signatures and three IDs than code that only allows one?  As I hardly need 
point out, the process cost of changing the protocol is high, and it will 
take approximately forever for the long tail to notice.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email