Re: draft-ietf-dnsext-dnssec-gost
Martin Rex <mrex@sap.com> Mon, 15 February 2010 23:36 UTC
Return-Path: <mrex@sap.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 270CE3A6AD0 for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 15:36:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.215
X-Spam-Level:
X-Spam-Status: No, score=-10.215 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hd6f3NP-Dyxb for <ietf@core3.amsl.com>; Mon, 15 Feb 2010 15:36:10 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.171]) by core3.amsl.com (Postfix) with ESMTP id 0C6BF3A7BEF for <ietf@ietf.org>; Mon, 15 Feb 2010 15:36:09 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o1FNbclx004626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Feb 2010 00:37:38 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201002152337.o1FNbbji028843@fs4113.wdf.sap.corp>
Subject: Re: draft-ietf-dnsext-dnssec-gost
To: marka@isc.org
Date: Tue, 16 Feb 2010 00:37:37 +0100
In-Reply-To: <201002152131.o1FLVZNX096905@drugs.dv.isc.org> from "Mark Andrews" at Feb 16, 10 08:31:35 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 23:36:11 -0000
Mark Andrews wrote: > > In message <201002151420.o1FEKCMx024227@fs4113.wdf.sap.corp>, Martin Rex writes > : > > OK, I'm sorry. For the DNSsec GOST signature I-D, the default/prefered (?) > > parameter sets are explicitly listed in last paragraph of section 2 > > of draft-ietf-dnsext-dnssec-gost-06. However, it does _NOT_ say what to > > do if GOST R34.10-2001 signatures with other parameter sets are encountered. > > Since each end adds the parameters and they are NOT transmitted this > can never happen. If one end was to change the parameters then nothing > would validate. OK. I didn't know anything abouth DNSSEC when I entered the disussion... Having scanned some of the available document (rfc-4034,rfc-4035,rfc-2536 and the expired I-D draft-ietf-dnsext-ecc-key-10.txt) I'm wondering about the following: - the DNS security algorithm tag ought to be GOST R34.10-2001 and not just "GOST" - DSA and the expired ECC draft spell out the entire algorithm parameters in the key RRs, which preclues having to assign additional algorithm identifiers if a necessity comes up to use different algorithm parameters. Wouldn't it be sensible to do the same for GOST R34.10-2001 keys -- i.e. list the parameter set as part of the public key data? Given the procedure of the standardization body that defines GOST the parameter set OID could be used in alternative to spelling out each of the element in the parameter set in full. Implying the paramter set A for the GOST R34.10-2001 algorithm does not seem very "agile", given the limited number range for the algorithm field in DNS security. Given the differences between -1994 and -2001 versions, any successor GOST R34.10-201X standard may not be able to reuse the DNSKEY record anyway and need a new algorithm identifier. And at that point, an unqualified label "GOST" would become ambiguous. As previously mentioned, current uses of GOST R34.11 should be changed to GOST R34.11-1994 as well (prevent ambiguity with a future/updated hash algorithm for GOST). -Martin
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Paul Hoffman
- Re: draft-ietf-dnsext-dnssec-gost Richard L. Barnes
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Michael Dillon
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Stephen Farrell
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost David Conrad
- Re: draft-ietf-dnsext-dnssec-gost Edward Lewis
- Re: draft-ietf-dnsext-dnssec-gost Sean Turner
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost ned+ietf
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- Re: draft-ietf-dnsext-dnssec-gost Stephen Kent
- RE: draft-ietf-dnsext-dnssec-gost Rex, Martin
- Re: draft-ietf-dnsext-dnssec-gost Spencer Dawkins
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Mark Andrews
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson
- Re: draft-ietf-dnsext-dnssec-gost Basil Dolmatov
- Re: draft-ietf-dnsext-dnssec-gost Andrew Sullivan
- Re: draft-ietf-dnsext-dnssec-gost Martin Rex
- Re: draft-ietf-dnsext-dnssec-gost Ran Atkinson
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Phillip Hallam-baker
- Re: draft-ietf-dnsext-dnssec-gost Olafur Gudmundsson