IETF Logo Mail Archive

Re: [DNSOP] [Ext] More private algorithms for DNSSEC

Mark Andrews <marka@isc.org> Mon, 28 March 2022 21:08 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 526EB3A1935 for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 14:08:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=Bn4Z8s6P; dkim=pass (1024-bit key) header.d=isc.org header.b=Yo2r4LPd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axnEtbVgO4eY for <dnsop@ietfa.amsl.com>; Mon, 28 Mar 2022 14:08:09 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 556F83A1291 for <dnsop@ietf.org>; Mon, 28 Mar 2022 14:08:08 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 963813AB007; Mon, 28 Mar 2022 21:08:07 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 963813AB007
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648501687; bh=IC/U2vhBSUKxZz9xDMBPuzTkEZekQ9lHksP08GIzOzU=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=Bn4Z8s6P6YOecIDehL5P7UNtJFUQcE3JJtygK3VjEQTyXG0BOJQuTvWIIeX7m37TA odR6odW6AlQG1GA60gpmd0yozSuutl4LHyxupWbdI7JSS8ZeF/of6fsy4+cy4Xzv0k 0giG9ZUWjbnE9nP+D5bpuUhVSGpfv8nBUeuIyRuY=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 7D1991104AA8; Mon, 28 Mar 2022 21:07:07 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 536051104AAA; Mon, 28 Mar 2022 21:07:07 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 536051104AAA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648501627; bh=nYGJ6DseIXbC28C5bjHgqq50WKfquntjj+EVAkTDv7M=; h=From:Mime-Version:Date:Message-Id:To; b=Yo2r4LPd4FCthtxoMjz6VjlyzpZNRPjBNuBLJCNKo2J2DN/HZWUvAu8OkGtOjLxnS HYJ35BrPKVnyQnDjJSzMlLBsmh6VfW3J4rs56T4NPQWFrZI+0TVv7l1QLd1MBvio3D fvTF7U3SXsl3rVU0g9mTgbLNZK6BqkbG5GGmDwg4=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cnIrTrJg0EBO; Mon, 28 Mar 2022 21:07:07 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id C48B21104AA8; Mon, 28 Mar 2022 21:07:06 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Tue, 29 Mar 2022 08:08:03 +1100
Message-Id: <C65EB811-E636-4732-AB41-2DE32A297D5F@isc.org>
References: <585479E8-293C-42D4-BA2F-7FD99B27EBDE@isc.org>
Cc: dnsop WG <dnsop@ietf.org>
In-Reply-To: <585479E8-293C-42D4-BA2F-7FD99B27EBDE@isc.org>
To: Paul Hoffman <paul.hoffman@icann.org>
X-Mailer: iPhone Mail (19D52)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zkEr9Kpv6uLF1klRK07oHVW-sZg>
Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 21:08:14 -0000

  Note you can’t prepublish a DS to roll keys  you need to publish the DNSKEY first. 

-- 
Mark Andrews

> On 29 Mar 2022, at 05:33, Mark Andrews <marka@isc.org> wrote:
> 
> 
> 
>> On 29 Mar 2022, at 01:34, Paul Hoffman <paul.hoffman@icann.org> wrote:
>> 
>>> On Mar 27, 2022, at 6:23 PM, Mark Andrews <marka@isc.org> wrote:
>>> There is zero reason to reserve any ADDITIONAL space for experimentation.
>> 
>> Assume that you want to experiment with creating responses that have multiple as-yet-undefined algorithms. How would you do that today? Differentiating in the RRdata, as is done today, would create a single RRset in the response.
>> 
>> --Paul Hoffman
>> 
> 
> You would add records of type 253 with “alg1.example.org” as the first algorithm name, “alg2.example.org” as the second algorithm name where example.org is a domain you control. If someone else is running another experiment they add 253 with the algorithm name specified as “alg1.example.net” where example.net is a domain they control.
> 
> When you are checking if you support a particular instance of PRIVATEDNS you check the algorithm name as well as the algorithm number (253).
> 
> For working out if the DS record indicates support for your PRIVATEDNS algorithm you need to find the matching DNSKEY based on the hash and extract the PRIVATEDNS algorithm name.  If you can’t find a matching DNSKEY the DNSKEY RRset is bogus as the DS record says that the DNSKEY record exists.
> 
> If you want to see how this would work add “PRIVATE-RSASHA256” using RSASHA256.ICANN.ORG as the first algorithm name and “PRIVATE-ECDSAP256SHA256” with ECDSAP256SHA256.ICANN.ORG as the second name as a starting point where they are reimplementations of RSASHA256 and ECDSAP256SHA256 respectively.  Throw in “UNKNOWN.ICANN.ORG” with some random data as the rest of the key.
> 
> About the only part not already specified is matching DS to DNSKEY using PRIVATEDNS but as you can see it is obvious to anyone with a little bit of cryptographic understanding.
> 
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.38.3 | Report a Bug | By Email | System Status