Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Basil Dolmatov <> Sat, 23 January 2010 18:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 932BA3A6962 for <>; Sat, 23 Jan 2010 10:33:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.285
X-Spam-Level: *
X-Spam-Status: No, score=1.285 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ViIHV3GKM8m9 for <>; Sat, 23 Jan 2010 10:33:39 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7CAF93A692D for <>; Sat, 23 Jan 2010 10:33:38 -0800 (PST)
Received: from [] ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 2765C46501; Sat, 23 Jan 2010 21:33:31 +0300 (MSK)
Message-ID: <>
Date: Sat, 23 Jan 2010 21:33:31 +0300
From: Basil Dolmatov <>
User-Agent: Thunderbird (X11/20090817)
MIME-Version: 1.0
To: Andrew Sullivan <>
References: <p06240810c76be77be756@[]> <> <p06240818c76c1a38cbf8@[]> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Sun, 24 Jan 2010 22:57:34 -0800
Cc: Ralph Droms <>,,
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Jan 2010 18:33:40 -0000

Andrew Sullivan пишет:
>> BTW, we have had this discussion in SIDR, where the RPKI has a similar 
>> global scope and where Vasily had made a similar request for recognition 
>> of GOST algorithms. So far, that WG has said no, for the reasons I cited 
>> in my comments and above. The current plan there is to go with the two 
>> suite model I described above.
> Ok.  Thanks for this; it's useful feedback.
Andrew, I, being the participant in the quoted process, want to share my 
description of what had happened and I think that it will differ to some 

I noted that RPKI and SIDR implementations having exactly no possibility 
to support different protocols will definitely meet the problems, which 
DNSSec is overcoming simply by its design.

Steve, in his presentation showed the technology which gives possibility 
to given AS (or group of ASes) to build entirely independent system of 
distribution of routing information from the outer world. That was 
_the_other_way_ to handle possible protocol problems, just to present 
mechanism, which allows to split whole system into several entirely 
independent protocol domains.

Comparing to DNS the IDR ideology is entirely different: DNS is 
wholistic and united service, but main IDR principle is the independence 
of routing decisions for any given AS.

I also noted then that from my point of view the DNSSec protocol 
approach seems much more productive for the development of the network 
as a whole and maintaining its integrity, SIDR approach from that 
perspective seems a restrictive one and leading to the dead end in the 
near future.

I would be very cautious when considering the borrowing of the 
technologies and approaches from SIDR to any other protocols and 
services, these technologies though allowing to "overcome" possible 
protocol problems in fact will lead to the network split.


> Best,
> A