From nobody Mon Mar 28 14:08:16 2022 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 526EB3A1935 for ; Mon, 28 Mar 2022 14:08:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.109 X-Spam-Level: X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=Bn4Z8s6P; dkim=pass (1024-bit key) header.d=isc.org header.b=Yo2r4LPd Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axnEtbVgO4eY for ; Mon, 28 Mar 2022 14:08:09 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 556F83A1291 for ; Mon, 28 Mar 2022 14:08:08 -0700 (PDT) Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 963813AB007; Mon, 28 Mar 2022 21:08:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 963813AB007 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648501687; bh=IC/U2vhBSUKxZz9xDMBPuzTkEZekQ9lHksP08GIzOzU=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=Bn4Z8s6P6YOecIDehL5P7UNtJFUQcE3JJtygK3VjEQTyXG0BOJQuTvWIIeX7m37TA odR6odW6AlQG1GA60gpmd0yozSuutl4LHyxupWbdI7JSS8ZeF/of6fsy4+cy4Xzv0k 0giG9ZUWjbnE9nP+D5bpuUhVSGpfv8nBUeuIyRuY= Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 7D1991104AA8; Mon, 28 Mar 2022 21:07:07 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 536051104AAA; Mon, 28 Mar 2022 21:07:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 536051104AAA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648501627; bh=nYGJ6DseIXbC28C5bjHgqq50WKfquntjj+EVAkTDv7M=; h=From:Mime-Version:Date:Message-Id:To; b=Yo2r4LPd4FCthtxoMjz6VjlyzpZNRPjBNuBLJCNKo2J2DN/HZWUvAu8OkGtOjLxnS HYJ35BrPKVnyQnDjJSzMlLBsmh6VfW3J4rs56T4NPQWFrZI+0TVv7l1QLd1MBvio3D fvTF7U3SXsl3rVU0g9mTgbLNZK6BqkbG5GGmDwg4= Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cnIrTrJg0EBO; Mon, 28 Mar 2022 21:07:07 +0000 (UTC) Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id C48B21104AA8; Mon, 28 Mar 2022 21:07:06 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Mark Andrews Mime-Version: 1.0 (1.0) Date: Tue, 29 Mar 2022 08:08:03 +1100 Message-Id: References: <585479E8-293C-42D4-BA2F-7FD99B27EBDE@isc.org> Cc: dnsop WG In-Reply-To: <585479E8-293C-42D4-BA2F-7FD99B27EBDE@isc.org> To: Paul Hoffman X-Mailer: iPhone Mail (19D52) Archived-At: Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2022 21:08:14 -0000 Note you can=E2=80=99t prepublish a DS to roll keys you need to publish t= he DNSKEY first.=20 --=20 Mark Andrews > On 29 Mar 2022, at 05:33, Mark Andrews wrote: >=20 > =EF=BB=BF >=20 >> On 29 Mar 2022, at 01:34, Paul Hoffman wrote: >>=20 >>> On Mar 27, 2022, at 6:23 PM, Mark Andrews wrote: >>> There is zero reason to reserve any ADDITIONAL space for experimentation= . >>=20 >> Assume that you want to experiment with creating responses that have mult= iple as-yet-undefined algorithms. How would you do that today? Differentiati= ng in the RRdata, as is done today, would create a single RRset in the respo= nse. >>=20 >> --Paul Hoffman >>=20 >=20 > You would add records of type 253 with =E2=80=9Calg1.example.org=E2=80=9D a= s the first algorithm name, =E2=80=9Calg2.example.org=E2=80=9D as the second= algorithm name where example.org is a domain you control. If someone else i= s running another experiment they add 253 with the algorithm name specified a= s =E2=80=9Calg1.example.net=E2=80=9D where example.net is a domain they cont= rol. >=20 > When you are checking if you support a particular instance of PRIVATEDNS y= ou check the algorithm name as well as the algorithm number (253). >=20 > For working out if the DS record indicates support for your PRIVATEDNS alg= orithm you need to find the matching DNSKEY based on the hash and extract th= e PRIVATEDNS algorithm name. If you can=E2=80=99t find a matching DNSKEY th= e DNSKEY RRset is bogus as the DS record says that the DNSKEY record exists.= >=20 > If you want to see how this would work add =E2=80=9CPRIVATE-RSASHA256=E2=80= =9D using RSASHA256.ICANN.ORG as the first algorithm name and =E2=80=9CPRIVA= TE-ECDSAP256SHA256=E2=80=9D with ECDSAP256SHA256.ICANN.ORG as the second nam= e as a starting point where they are reimplementations of RSASHA256 and ECDS= AP256SHA256 respectively. Throw in =E2=80=9CUNKNOWN.ICANN.ORG=E2=80=9D with= some random data as the rest of the key. >=20 > About the only part not already specified is matching DS to DNSKEY using P= RIVATEDNS but as you can see it is obvious to anyone with a little bit of cr= yptographic understanding. >=20 > Mark > --=20 > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop