[DNSOP] Re: New draft on collision free key tags in DNSSEC

"libor.peltan" <libor.peltan@nic.cz> Thu, 01 August 2024 08:39 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10BB5C14F74E for <dnsop@ietfa.amsl.com>; Thu, 1 Aug 2024 01:39:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oMXeukBaVuhe for <dnsop@ietfa.amsl.com>; Thu, 1 Aug 2024 01:39:35 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C08B4C14F6BA for <dnsop@ietf.org>; Thu, 1 Aug 2024 01:39:35 -0700 (PDT)
Received: from [192.168.106.253] (cst-prg-15-90.cust.vodafone.cz [46.135.15.90]) by mail.nic.cz (Postfix) with ESMTPSA id 8A93E1C1209; Thu, 1 Aug 2024 10:39:31 +0200 (CEST)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=libor.peltan@nic.cz smtp.mailfrom=libor.peltan@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1722501571; bh=+2I65Xl0URBonMv58BslfkJqkHt/o2m7/FY/9zpAD/4=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Reply-To: Subject:To:Cc; b=LSr05CXNWxee3uku+92fnQQUB7LuH77GOwmpKLNsGbd5mw2ukdC00bc08nz5cmOEO K0a2G1L0G5vmBGTbkv934HKAIFZo9hKJ2iy04V/jl0Licu4AGXEtzlpUX6aLGYQiln snBTOfKatPlS6PEfKWnpMhhMTYnxBpsQmjnt6pX4=
Message-ID: <5da672f1-aee0-4e95-a352-3a5ccc94f260@nic.cz>
Date: Thu, 01 Aug 2024 10:39:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Wouters <paul@nohats.ca>, Petr Špaček <pspacek@isc.org>
References: <db4ce7d8-4956-4c59-b396-c564f513f19b@isc.org> <3E149511-8FF0-4F07-AA81-0C7FCBEFC1DB@nohats.ca>
Content-Language: en-US
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <3E149511-8FF0-4F07-AA81-0C7FCBEFC1DB@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.103.10 at mail
X-Virus-Status: Clean
X-Spamd-Bar: /
X-Spamd-Result: default: False [-0.14 / 20.00]; MIME_GOOD(-0.10)[text/plain]; BAYES_HAM(-0.04)[54.55%]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ZERO(0.00)[0]; TO_DN_SOME(0.00)[]; ASN(0.00)[asn:16019, ipnet:46.135.0.0/16, country:CZ]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]
X-Rspamd-Action: no action
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 8A93E1C1209
Message-ID-Hash: XELROUABKDXZJCLJNPEUORR54HWWVE2G
X-Message-ID-Hash: XELROUABKDXZJCLJNPEUORR54HWWVE2G
X-MailFrom: libor.peltan@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/z_obL7qP1Fp3Y6ZI-pBCED6wFuU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Dne 31. 07. 24 v 19:18 Paul Wouters napsal(a):
> Rate limit these at 10/sec ? Will allow random cases to work but will stop ddos.
>
>
Such ideas are almost always bad. This only leads to situation when the 
resultion of particular zone sometimes works and sometimes doesn't, 
being undebuggable. And any adversary can easily cause it to never work, 
just by sending those 10 qps themselves.

Libor