Re: [dnsext] Report from chairs
Phillip Hallam-Baker <hallam@gmail.com> Fri, 30 July 2010 16:18 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00FC63A6A31; Fri, 30 Jul 2010 09:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.894
X-Spam-Level:
X-Spam-Status: No, score=-0.894 tagged_above=-999 required=5 tests=[AWL=-0.399, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x84MnloNklmq; Fri, 30 Jul 2010 09:18:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B00183A6A11; Fri, 30 Jul 2010 09:18:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OesBB-0002OX-J7 for namedroppers-data0@psg.com; Fri, 30 Jul 2010 16:11:25 +0000
Received: from [209.85.160.180] (helo=mail-gy0-f180.google.com) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <hallam@gmail.com>) id 1OesB9-0002O1-9z for namedroppers@ops.ietf.org; Fri, 30 Jul 2010 16:11:23 +0000
Received: by gye5 with SMTP id 5so974303gye.11 for <namedroppers@ops.ietf.org>; Fri, 30 Jul 2010 09:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yW1xnImgXCOBXByvxczbjc1Vlca5ZoflmQ3KXfwrDU0=; b=xRqzuYB6Q8eoKL2g68Yi5D9Hz64BLClJi7PDNhIuFUxXZdnziq68kec/RUyund+wst z42FL5j61qd8zPk3jNV5Be8UQV4nY21Ow/x2+Xe4nOV9hM3sl/6met5XPrkHvRkbRPPI aFb9p0heFp2H5IoqvCffYaxfr37NMFaQH14Mo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=u7vbRLztTYJcsGUf4p3xgaRmN/OnXZseTi8R6tCQ9AjZ9VZVQwAu89p8Zv9Dtlfygt /Dr51o8nWNqLYmcUBn8pFHmUpyZcNlHNuuaneDaZY2osedaRIjF7I5Gr1mDzDgw74u8y KmY3/6NTsqL+Bouo68dhqp1Wb3Zb3D4bu78Xs=
MIME-Version: 1.0
Received: by 10.101.57.6 with SMTP id j6mr2512746ank.89.1280506281127; Fri, 30 Jul 2010 09:11:21 -0700 (PDT)
Received: by 10.231.10.76 with HTTP; Fri, 30 Jul 2010 09:11:21 -0700 (PDT)
In-Reply-To: <201007260710.o6Q7AjoB025253@givry.fdupont.fr>
References: <20100725213920.GF8017@shinkuro.com> <201007260710.o6Q7AjoB025253@givry.fdupont.fr>
Date: Fri, 30 Jul 2010 12:11:21 -0400
Message-ID: <AANLkTimVBmC=mMCzr1SO7k=9qfTXkdVWMd3Lrzcw8T+C@mail.gmail.com>
Subject: Re: [dnsext] Report from chairs
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Francis Dupont <Francis.Dupont@fdupont.fr>
Cc: Andrew Sullivan <ajs@shinkuro.com>, namedroppers@ops.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
My feeling is that we should shelve this and instead work on a key exchange to compliment TSIG and then deprecate HMAC-MD5 for use in that context. The reason for this is that I think DNS-CURVE meets a real need, even if the approach is not really sensitive to existing DNS code. Suggesting a move to ECC is a good idea, suggesting transport layer security is a good idea. Suggesting both in the same proposal is not. For example, most enterprises use split DNS. They do not want their internal DNS to be externally visible. But if (like me) the only corporate facility you really need most of the time is email, you can get perfectly adequate support by using SMTP and IMAP/POP over SSL. Using IPSEC just to secure the DNS part is really quite painful. This approach is much cleaner. So given that we can expect to upgrade the whole TSIG area in an important way, and given that there is no immediate security risk with MD5, I think it makes sense to have one transition rather than two. On Mon, Jul 26, 2010 at 3:10 AM, Francis Dupont <Francis.Dupont@fdupont.fr> wrote: > In your previous mail you wrote: > > 4. EXPIRED DRAFTS > > - draft-ietf-dnsext-tsig-md5-deprecated > > Is anyone still interested in this draft? We have no movement on it. > > => there is a clear lack of support for this draft. I propose to give > the question to the security area so they should say if it is fine to > keep MD5 mandatory in an IETF protocol. > > Two comments: > - MD5 is used in a way (HMAC) it is not proved to be weak > > - the issue is MD5 it is forbidden for most (i.e., all I know of :-) > certified cryptos so it is not possible to run a both certified (for > the crypto) and conformant (to standards) TSIG tool. > Now it seems to be only a formal concern... > > Thanks > > Francis.Dupont@fdupont.fr > > -- Website: http://hallambaker.com/
- [dnsext] Report from chairs Andrew Sullivan
- Re: [dnsext] Report from chairs Francis Dupont
- Re: [dnsext] Report from chairs Federico Lucifredi
- Re: [dnsext] Report from chairs Phillip Hallam-Baker
- Re: [dnsext] Report from chairs Francis Dupont
- Re: [dnsext] Report from chairs Federico Lucifredi
- Re: [dnsext] Report from chairs Joe Abley
- Re: [dnsext] Report from chairs Jeffrey A. Williams
- Re: [dnsext] Report from chairs Federico Lucifredi