IETF Logo Mail Archive

Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-signal-04.txt

Mark Andrews <marka@isc.org> Tue, 13 March 2012 08:21 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA52821F8873; Tue, 13 Mar 2012 01:21:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1331626913; bh=vTCGeIEkrGhbXvGsFgYDdBMWuwVMZ78kod4HHM2LaBc=; h=To:From:References:In-reply-to:Date:Message-Id:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=K7p9B1n7bYek34rzqEYJRn6MgI5QCsd8fiT7txQBiHqmmzwRPJpW3TbIhDzTpXyjE 6MnQ7RpMKFRBrkOkCkrfAgf8HyHEO4fxOZcJzI28l04gRUIac7wckwuWTIYRrSzowQ mZiP55x5tDITzAMrj0C4JaG0Yqq01n5J9UWf+mfE=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6410E21F8873 for <dnsext@ietfa.amsl.com>; Tue, 13 Mar 2012 01:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvlbhvjNjkqU for <dnsext@ietfa.amsl.com>; Tue, 13 Mar 2012 01:21:50 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id D2FA821F885A for <dnsext@ietf.org>; Tue, 13 Mar 2012 01:21:50 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id C8C3CC9424 for <dnsext@ietf.org>; Tue, 13 Mar 2012 08:21:38 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:7c2f:c400:f438:c0b]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id AC749216C31 for <dnsext@ietf.org>; Tue, 13 Mar 2012 08:21:37 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 172C01E76A51 for <dnsext@ietf.org>; Tue, 13 Mar 2012 19:21:23 +1100 (EST)
To: dnsext@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20120306162935.4172.91398.idtracker@ietfa.amsl.com> <20120309090748.GA20102@miek.nl> <3B318BC7-749C-4885-A6B9-8BE91479D0F9@gmail.com> <20120313080731.GA12019@miek.nl>
Mail-Followup-To: dnsext@ietf.org
In-reply-to: Your message of "Tue, 13 Mar 2012 09:07:31 BST." <20120313080731.GA12019@miek.nl>
Date: Tue, 13 Mar 2012 19:21:22 +1100
Message-Id: <20120313082123.172C01E76A51@drugs.dv.isc.org>
Subject: Re: [dnsext] I-D Action: draft-ietf-dnsext-dnssec-algo-signal-04.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <20120313080731.GA12019@miek.nl>, Miek Gieben writes:
> [ Quoting <scottr.nist@gmail.com> at 09:08 on Mar 12 in "Re: [dnsext] I-D A=
> ct..." ]
> > One reason we made it three unique options was so clients could mix
> > and match if they wanted. Especially since there is only one NSEC3
> > hash algorithm code assigned for now.
> 
> Upgrading hashes in NSEC3 is hard, upgrading NSEC3 (to whatever) is harder
> still.
> 
> How about an extra option that lists which authenticated denial of existence
> records are understood. Something along the lines:
> 
> An option code that signals which negative resource records an resolver
> can handle. When DNSSEC was first designed NXT, was defined, this was
> later renamed to NSEC. Later still NSEC3 was defined. Upgrading to a new
> authenticated denial of existence record is very hard. The upgrade to NSEC3
> involved an algorithm roll, which is not desirable as we only have 8 bits in
> the algorithm field. So we define to following:
> 
> NXU                         (NXDOMAIN Understood)
> 2                           (length is always 2 octect)
> Type code of the highext NX=20
> record understood.
>    =20
> This defaults to '50'.
> 
>  Regards,
> 
> --=20
>     Miek Gieben
 
If you want to solve upgrading NSEC3's hash algorithm or BNAME etc.
then that needs to be carried in the DS record so the zone can be
treated as insecure.  Defining DS hash types which have additional
fields would be one way forward that is backwards compatible.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email