IETF Logo Mail Archive

Re: [dnsext] draft-ietf-dnsext-dnssec-algo-signal-07.txt

Steve Crocker <steve@shinkuro.com> Tue, 17 July 2012 16:59 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C339021F869C; Tue, 17 Jul 2012 09:59:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1342544388; bh=+UIo6yErWajRCWqNbwww69UNfimUtqQ6UnIw9818K3E=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=TmO9tzC92wBtKjUOGjzQPMreII5KjRmLeXxX4o3RKWrw7zGF28ISGpKWOJSXdc3f5 vCYsFRxROrrc1OivoogHJG6cV3IkYRd3kqFjBmR7HEtOCK6CiU5b4wbwHJajBGC2qx WFJGP2/VQobzRaSEPa4CFW2bNqDvlGH3jxqpj6wM=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4263C21F869C for <dnsext@ietfa.amsl.com>; Tue, 17 Jul 2012 09:59:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.47
X-Spam-Level:
X-Spam-Status: No, score=-1.47 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, HELO_EQ_DSL=1.129]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMZhFFIGOke8 for <dnsext@ietfa.amsl.com>; Tue, 17 Jul 2012 09:59:46 -0700 (PDT)
Received: from execdsl.com (remote.shinkuro.com [50.56.68.178]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7D721F869A for <dnsext@ietf.org>; Tue, 17 Jul 2012 09:59:46 -0700 (PDT)
Received: from [70.88.139.89] (account steve@shinkuro.com HELO [192.168.168.156]) by execdsl.com (CommuniGate Pro SMTP 5.1.16) with ESMTPSA id 20696731; Tue, 17 Jul 2012 17:00:58 +0000
Mime-Version: 1.0 (Apple Message framework v1084)
From: Steve Crocker <steve@shinkuro.com>
In-Reply-To: <85D2BE55-4028-468E-A07B-4F3B7406B68A@vpnc.org>
Date: Tue, 17 Jul 2012 13:00:30 -0400
Message-Id: <5A201A57-A13E-4021-A012-CEA37DA5DBED@shinkuro.com>
References: <6EC11B57-B164-4214-AADE-E552D9B21753@frobbit.se> <85D2BE55-4028-468E-A07B-4F3B7406B68A@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1084)
Cc: Patrik Fältström <patrik@frobbit.se>, dnsext@ietf.org
Subject: Re: [dnsext] draft-ietf-dnsext-dnssec-algo-signal-07.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

Paul,

There is a subtle point that may be helpful to recall.  The primary purpose of advertisement of which algorithms are understood by the resolver is to provide a measure of the adoption of new algorithms.  In the broad, slow cycle of introduction of new algorithms and the presumed phasing out of old algorithms, operators on the signing side of the equation will be choosing when to sign with a new algorithm and when to stop signing with an old algorithm.  They can sign with a new algorithm whenever they feel ready to do so, but they cannot rationally stop signing with the old algorithm until they have evidence that essentially all of the resolvers understand the new algorithm.  Thus, as I said, the primary purpose of this protocol extension is to provide measurable assessment of the uptake of a new algorithm.  From this perspective, the order of the algorithms within the resolver's advertisement is irrelevant.

Subordinate to this primary purpose is the potential for also advertising a preference.  Whether the responding system pays attention to the order is up to the responding system.  Also, as you suggest, the querying system may or may not have a real preference.  I don't think we have enough information to say one way or the other, and the perfect is the enemy of the good.  Let's move this forward and revisit your concern when there is some implementation and deployment experience to examine.  I hope is that this is the worst issue we will have to deal with.

Steve



On Jul 17, 2012, at 12:23 PM, Paul Hoffman wrote:

> On Jul 17, 2012, at 6:00 AM, Patrik Fältström wrote:
> 
>> As this was announced on June 14, 2012, and Scott Rose immediately followed up with an announcement (http://www.ietf.org/mail-archive/web/dnsext/current/msg12514.html) and there have been exactly zero comments I am a bit shy of declaring victory.
>> 
>> Can I get please at least three people that have seen this version, read it, and support it moving forward (part from myself and the authors of the document?
> 
> I have read the document and think it may be ready for IETF review, but it also might not. Section 3 still says:
>   The
>   validating end-system resolver sets the value(s) in the order of
>   preference, with the most preferred algorithm(s) first as described
>   in section 2.
> It does not say how a resolver choses the order of preference, probably because they have no frigging idea how to measure that. How can one express a preference between RSA and ECDSA, for example, without knowing the RSA key length? Worse, how can you even have a preference when what you really have is a list of algorithms that you fully accept and a list that you fully reject?
> 
> My preference remains the same: get rid of this ordering, stop pretending that people who run resolvers care about this as much as security geeks do, and stop suggesting to people that they should care about something they do not understand. But if the WG wants to leave this in, no significant harm will be done.
> 
> --Paul Hoffman
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email