[dnsext] draft-hoffman-dnssec-* (DNSSEC algorithm drafts)
Alfred Hönes <ah@TR-Sys.de> Fri, 18 September 2009 11:47 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A33428C1B9; Fri, 18 Sep 2009 04:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.772
X-Spam-Level: ***
X-Spam-Status: No, score=3.772 tagged_above=-999 required=5 tests=[AWL=-0.478, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, FH_RELAY_NODNS=1.451, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ax+1yckklEuW; Fri, 18 Sep 2009 04:47:16 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 933BA3A69D8; Fri, 18 Sep 2009 04:47:16 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1Mobrd-0001Yi-2l for namedroppers-data0@psg.com; Fri, 18 Sep 2009 11:42:57 +0000
Received: from [213.178.172.147] (helo=TR-Sys.de) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <A.Hoenes@TR-Sys.de>) id 1MobrR-0001Vw-F6 for namedroppers@ops.ietf.org; Fri, 18 Sep 2009 11:42:54 +0000
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA080334121; Fri, 18 Sep 2009 13:42:01 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id NAA17386; Fri, 18 Sep 2009 13:42:00 +0200 (MESZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <200909181142.NAA17386@TR-Sys.de>
Subject: [dnsext] draft-hoffman-dnssec-* (DNSSEC algorithm drafts)
To: paul.hoffman@vpnc.org, namedroppers@ops.ietf.org
Date: Fri, 18 Sep 2009 13:42:00 +0200
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
For brevity, I refer in a single message to the following recent DNSSEC algorithm related drafts: 1.) draft-hoffman-dnssec-alg-allocation-01 2.) draft-hoffman-dnssec-dsa-sha2-00 3.) draft-hoffman-dnssec-ecdsa-00 I have reviewed these drafts, and I support adopting them all as DNSEXT work items. Set aside the policy direction for #1, there seems to be very little need of technical discussions, so this will not represent a significant contribution to the overall wg workload. [ Refraining from a few extraneous rounds in sustained and/or recurring circular discussions might provide ample wg cycles for dealing with these drafts . :-) ] #1 seems to be overdue and it is editorially already almost done; I noticed a single nit, listed in the appendix of this message. IMHO, what needed to be said regarding the intent and direction of this draft already has been said on the list. IANA reportedly now supports provisional registrations with a timeout set for expiry (unless confirmed by document action), which do not become visible in the published registries. I suggest to adopt these procedures for the benefit of draft authors, abating the need to defer example generation to AUTH48 and thus allowing better review and verification of examples. #2 and #3 are certainly needed in order to let DNSSEC keep pace with the development of crypto-algorithm science and technology, and with related fundamental standards, and to ensure longer term DNSSEC deployment support by significant authorities. An important additional momentum driving the modern algorithms into DNSSEC is the potential savings in DNS response size, as explained in these drafts. Not addressing these issues and broadening the algorithm portfolio in DNSSEC might otherwise turn out as a major obstacle to large scale DNSSEC deployment -- a goal always supported vividly by a majority on this list. I have found only a single issue deserving clarification in #2 and a bunch of minor issues to be addressed for #3 -- see below for the details. Thus, filling in the promised examples seems to be the only significant task left for the author ... :-) ... but that can only be done in a useful way once algorithm numbers have been assigned, hence the urgent need for #1 !! Appendix: review result details (1) draft-hoffman-dnssec-alg-allocation-01 Section 3, 2nd para, contains an extraneous word. Please correct: [...] mandatory to implement in the that standard, [...] --- ^^^^ [...] mandatory to implement in that standard, [...] (2) draft-hoffman-dnssec-dsa-sha2-00 I suggest improving the reasoning in Section 1 by amending its 2nd para, which states: RFC 2536 [RFC2536] describes the KEY and SIG resource records (RRs) for the DSA with SHA-1 signature algorithm. At the time RFC 2536 was written, SHA-1 was the only hash algorithm that was defined for use with DSA, and the only key size allowed was 1024 bits. FIPS 186-3 ([FIPS-186-3]) extends the original DSA definition to permit larger keys. This document neither updates nor replaces RFC 2536. This text reports what had been done in RFC 2536 for the KEY and SIG RRs, and then the recent developments in FIPS 186. The subsequent paragraphs discuss some Pros and Cons of DSA with SHA-2 hashes, and then indicate which additions to the *DNSSECbis* documents (RFC 403x) are needed to support that, thus introducing what will be done in the following sections for the *DNSKEY* and *RRSIG* RRs. I miss a link in the chain: what happened from RFC 2535 to RFC 403*, i.e. the step to the new DNSSEC RRs. Since RFC 2536 already has been obsoleted by DNSSECbis, the last sentence quoted above should be deleted. Hence, I propose to change/amend the 2nd para of Section 1 as follows: vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv v | For the original DNSSEC version, RFC 2536 [RFC2536] described the KEY and SIG resource records (RRs) for the DSA with SHA-1 signature algorithm. At the time RFC 2536 was written, SHA-1 was the only hash algorithm that was defined for use with DSA, and the only key size | allowed was 1024 bits. The DNSSECbis documents listed above have | introduced the DNSKEY and RRSIG RRs replacing these old DNSSEC RR | types, but they have not changed the algorithm portfolio (see in | particular Appendix A of [RFC4034]). FIPS 186-3 ([FIPS-186-3]) extends the original DSA definition to | permit larger keys. ^^^^^ [[ 2nd sentence deleted; perhaps better join this remaining sentence with the subsequent paragraph! ]] (3) draft-hoffman-dnssec-ecdsa-00 There are a couple of editorials to be corrected, and in Section 7, wisdom has to be added. I omit verbous reasoning for the straightforward editorials. (3a) Section 3 | Verifying ECDSA signatures require agreement between the signer and the verifier of the parameters used. FIPS 186-3 [FIPS-186-3] lists some NIST-recommended elliptic curves. These are the same curves listed in RFC 5114 [RFC5114]. The curves used in this document are: --- v | Verifying ECDSA signatures requires agreement between the signer and the verifier of the parameters used. FIPS 186-3 [FIPS-186-3] lists | some NIST-recommended elliptic curves. These are the same curves as listed in RFC 5114 [RFC5114]. The curves used in this document are: [[ better use "... same ... *as* ..." ]] (3b) Section 4, 1st para -- significant word omission ECDSA public keys consist of a single value, called "Q" in FIPS 186-3. In DNSSEC keys, Q is a simple bit string that represents the | uncompressed form of the curve. --- ECDSA public keys consist of a single value, called "Q" in FIPS 186-3. In DNSSEC keys, Q is a simple bit string that represents the | uncompressed form of a curve point. ^ ^^^^^^ Important note for the list: In ECC, the public key is a point on the elliptic curve, and the SEC standards have defined different representations for it. The uncompressed form trades on-the-wire space in favor of reduced processing complexity at the signature verifier. An alternative would be the compressed form that essentially only requires a single bit to represent the y-coordinate of that point, thus cutting the size of the key representation almost to half, but which necessitates additional calculations at the signature verifier (using the equation of the elliptical curve, perhaps making use of clever shortcuts depending on the finite field on which the curve is defined) to recover the entire value of the y-coordinate. Other IETF WGs have favored the uncompressed form, but the restrictions imposed by theoretical and practical DNS response size limitations might call for revisiting this topic for DNSSEC. Can implementors of ECC (outside DNSSEC) quantify the relative cost (in processing time) of using the compressed form? (3c) Section 7, 1st para -- word omission | This document updates the IANA for digest types in DS records, currently called "Delegation Signer Resource Record, Digest Algorithms". The following entry is added: --- vvvvvvvvvv | This document updates the IANA registry for digest types in DS records, currently called "Delegation Signer Resource Record, Digest Algorithms". The following entry is added: (3d) Section 7, new "Algortihm Number" entries To my knowledge, at this point in time there does not exist a formal specification for the use of these algorithms with DNS transaction security (TSIG) -- which now is no more regarded as a component of DNSSEC. I strongly suggest to definitely say in the registration templates that TSIG support is not available, and leave an update to such specification, once it eventually is adopted. Hence I suggest to perform the following change (3 occurrences): Trans. Sec. **** Unknown; will fill in later **** --- Trans. Sec. No (3e) Section 8 -- incomplete sentence [...]. Such an assessment could, of course, change in the future if new attacks that | work better than the ones known today. --- ^ [...]. Such an assessment could, of course, change in the future if new attacks that | work better than the ones known today are discovered. ^^^^^^^^^^^^^^^^ [[ Alternatively, use "found" instead of "discovered", as in the DSA draft. ]] Kind regards, Alfred Hönes. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [dnsext] draft-hoffman-dnssec-* (DNSSEC algorithm… Alfred Hönes