Re: [Last-Call] [Ext] Opsdir last call review of draft-ietf-dnsop-dnssec-bcp-03
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 25 September 2022 21:13 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B3A2C14CEFC; Sun, 25 Sep 2022 14:13:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.21
X-Spam-Level:
X-Spam-Status: No, score=-1.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_RUURL=3, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMXRhlaeNc18; Sun, 25 Sep 2022 14:13:32 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC912C14F735; Sun, 25 Sep 2022 14:13:31 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 48AB8113320; Sun, 25 Sep 2022 17:13:30 -0400 (EDT)
Date: Sun, 25 Sep 2022 17:13:30 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: last-call@ietf.org, dnsop <dnsop@ietf.org>
Message-ID: <YzDEelh6FIdokOAK@straasha.imrryr.org>
Reply-To: dnsop@ietf.org, last-call@ietf.org
References: <166412950464.63261.16113770307028490009@ietfa.amsl.com> <YzClZZNzLnpTVjJ7@straasha.imrryr.org> <E701F7EB-1D38-4415-BC09-48E0268CAA71@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <E701F7EB-1D38-4415-BC09-48E0268CAA71@icann.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/CEagyE1XwGt5Bp5lB9fqb4PEgVI>
Subject: Re: [Last-Call] [Ext] Opsdir last call review of draft-ietf-dnsop-dnssec-bcp-03
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2022 21:13:33 -0000
On Sun, Sep 25, 2022 at 08:27:19PM +0000, Paul Hoffman wrote:
> > In:
> >
> > 3. Additional Cryptographic Algorithms and DNSSEC
> >
> > [...]
> > The GOST signing algorithm [RFC5933] was also adopted, but has seen
> > very limited use, likely because it is a national algorithm specific
> > to a very small number of countries.
> >
> > GOST is more than merely unpopular, the underlying revision of the GOST
> > algorithms have been deprecated and replaced, and RFC 8624 lists GOST as "MUST NOT"
> > for signing.
>
> That is being rectified in the DNSOP WG, albeit too slowly to be
> reflected in this document.
Note that my point was not about the status of GOST viz DNSSEC, but
rather that the Russian Federation has deprecated and superseded the
version of GOST (GOST R 34.10-2001) that is the basis of algorithm 12.
Therefore, its use even inside .RU/.рф is no longer appropriate. The
algorithm is pining for fjords (<https://www.youtube.com/watch?v=vZw35VUBdzo>).
> > I take issue with the next paragraph:
> >
> > Implementation developers who want to know which algorithms to
> > implement in DNSSEC software should refer to [RFC8624]. Note that
> > this specification is only about what algorithms should and should
> > not be included in implementations: it is not advice for which
> > algorithms that zone operators should and should not sign with, nor
> > which algorithms recursive resolver operators should or should not
> > validate.
> >
> > Sure, the opening sentence of Section 3.1 reads:
> >
> > The following table lists the implementation recommendations for
> > DNSKEY algorithms.
> >
> > but an attentive operator should and will indeed take this advice into
> > consideration. Many have already, and adoption of the deprecated algorithms 5
> > and 7 have declined by ~95% from their peak values.
>
> This document is not the place to re-litigate the scope of RFC 8624,
> not is it a good place to say what "an attentive operators should" do
> other than to read the listed RFCs.
Well, in that case it should also not make a strong disclaimer to the
effect that 8624 is not advice to operators. It plainly is used as
such. Perhaps silence on that topic would be best.
--
Viktor.
- [Last-Call] Opsdir last call review of draft-ietf… Gyan Mishra via Datatracker
- Re: [Last-Call] Opsdir last call review of draft-… Viktor Dukhovni
- Re: [Last-Call] [Ext] Opsdir last call review of … Paul Hoffman
- Re: [Last-Call] [Ext] Opsdir last call review of … Viktor Dukhovni
- Re: [Last-Call] [Ext] Opsdir last call review of … Rob Sayre