DNS Extensions (dnsext)

Ted Lindgreen | 1 Dec 2007 08:40

Picon

Re: NSEC3, version 13

[Quoting Sam Hartman, on Nov 30, 17:34, in "Re: NSEC3, version 1 ..."]

> However, since there are objections, I assume the chairs will also
> call for support;silence in the presence of objections is not rough
> consensus.

I share Sam's concern, I also think that silence does not suffice
to go forward.

NSEC3 is a very complicated protocol extention. Few people, even
in this WG, really understand the issues at hand, those who do,
should speak up and guarantee the rest of us that all issues are
now solved,

Regards,
-- ted

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Olaf M. Kolkman | 1 Dec 2007 17:46

Picon

Re: NSEC3, version 13

On 30Nov 2007, at 6:43 AM, Ólafur Guðmundsson /DNSEXT chair wrote:

> Please speak up if this change is of concern to you.
> If no one speaks up by Dec 7'th I will tell our AD the changes are
> fine.

So the change is that the basic-4 steps procedure was removed and  
replaced with text that amounts to "We'll solve this when we get to  
this".

For those who are not up to speed with the issue that is being  
addressed, the thread causing all this starts here:
http://ops.ietf.org/lists/namedroppers/namedroppers.2007/msg00553.html

To me it is clear that the current text postpones dealing with the  
problem that starts with the premisses in Sam Weiler's observation:
    "but we aren't (as far as I can tell) requiring that an NSEC3- 
SHA256-capable resolver also support NSEC3-SHA1"

If the requirement to support old algorithms would exist, then the  
rollover is one that we currently understand.

Personally I could imagine that the introduction of a new hashing  
algorithm would be able to deal with that requirement: If all else  
fails using the blunt instrument of a flag date. Hopefully there is a  
more elegant way. Finding resolvers not supporting the old algorithm  
is unlikely but I appreciate the fact that a corner case remains a  
corner case and will need to be dealt with.

(Continue reading)

Richard Lamb | 4 Dec 2007 01:32

dnssec-signzone/keygen /w seamless pkcs11 support - Part II

December 3, 2007

DNSSEC Enthusiasts-

Here is my second version of modifications to BIND for native PKCS11
HSM support (first released June 14 2007 on
 dnssec-deployment <at> shinkuro.com).  The vast majority of
 changes to BIND are restricted to one file
(lib/dns/opensslrsa_link.c).  Included are a number of HSM
utilities that should also work with any HSM with PKCS11
 support such as private key backup using C_Wrap/C_Unwrap.
 The archive is in fact a snapshot of  what IANA is using in its demo
DNSSEC system.   As there appears to be very little sample pkcs11 code
on the net, I hope it is in some way helpful to those of you
struggling with this. Feel free to use it or pieces of the code as you
please.  Contact me if you have any questions and I will try to help.

I. How to build and test PKCS11 HSM tools:

1. If you have not done so already, install and configure the PKCS11
library for your HSM.

If first time using this HSM this typically includes:
a. copying the pkcs11 library into a directory

b. enable the HSM

c. initialize the HSM

Otherwise:

(Continue reading)

Alex Bligh | 4 Dec 2007 10:06

Picon

Re: NSEC3, version 13

[ Moderators note: Post was moderated, either because it was posted by
   a non-subscriber, or because it was over 20K.  
   With the massive amount of spam, it is easy to miss and therefore 
   delete relevant posts by non-subscribers. 
   Please fix your subscription addresses. ]

--On 30 November 2007 00:43:49 -0500 "Ólafur Guðmundsson /DNSEXT chair" 
<ogud <at> ogud.com> wrote:

> Please speak up if this change is of concern to you.
> If no one speaks up by Dec 7'th I will tell our AD the changes are
> fine.

FWIW this text does NOT concern me and I think the changes are fine.

Alex

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Sam Weiler | 4 Dec 2007 17:50

Re: Last Call: draft-ietf-dnsext-2929bis (Domain Name System (DNS) IANA Considerations) to BCP

This draft does not address at least one issue raised in WGLC.  It 
also contains substantial changes made after the close of WGLC that 
have received too little attention from the WG.  Accordingly, I 
continue to oppose publication of this document[1].  I suggest that 
the IESG refer it back to the WG and, once a new document is advanced, 
issue a new IETF last call.

An example of an issue raised in WGLC (in August 2006) that I think 
should be addressed:

The document continues to use IETF Consensus as an allocation metric. 
That term is deprecated in 2434bis and should be replaced.  The editor 
appears to have agreed to make that change[2], and I've seen no 
follow-up discussion saying that shouldn't happen.

And an example of one of the changes that I think has received too 
little review:

The document allows templates to create IANA registries.  Is that 
altogether desirable?  Has the expert been given enough guidance to 
review such requests?

I have not attempted to do an exhaustive review of the 2929bis 
discussion, but I suspect there are other items in the above 
categories also.

On the positive side, I'm pleased that the document provides for 
permanently archived templates which can, in and of themselves, serve 
as adequate documentation of a typecode assignment.

(Continue reading)

Eastlake III Donald-LDE008 | 4 Dec 2007 23:24

RE: Last Call: draft-ietf-dnsext-2929bis (Domain Name System (DNS) IANA Considerations) to BCP

Hi Sam,

It appears that, somehow, I overlooked message [2] below when I was
editing the document. Thanks for catching that. I'd be happy to make the
two changes agreed to: changing "who" to "whose" in one case (an error a
couple of other people have noticed) and changing "IETF Consensus" to
"IETF Review".

I believe that other changes you suggested were found by the WG Chair
not to have WG consensus.

Thanks,
Donald

-----Original Message-----
From: Sam Weiler [mailto:weiler <at> tislabs.com] 
Sent: Tuesday, December 04, 2007 11:51 AM
To: ietf <at> ietf.org
Cc: namedroppers <at> ops.ietf.org
Subject: Re: Last Call: draft-ietf-dnsext-2929bis (Domain Name System
(DNS) IANA Considerations) to BCP

This draft does not address at least one issue raised in WGLC.  It 
also contains substantial changes made after the close of WGLC that 
have received too little attention from the WG.  Accordingly, I 
continue to oppose publication of this document[1].  I suggest that 
the IESG refer it back to the WG and, once a new document is advanced, 
issue a new IETF last call.

An example of an issue raised in WGLC (in August 2006) that I think

(Continue reading)

Ólafur Guðmundsson /DNSEXT chair | 5 Dec 2007 18:44

Re: NSEC3, version 13

At 12:36 01/12/2007, Ted Lindgreen wrote:
>[Quoting Sam Hartman, on Nov 30, 17:34, in "Re: NSEC3, version 1 ..."]
>
> > However, since there are objections, I assume the chairs will also
> > call for support;silence in the presence of objections is not rough
> > consensus.
>
>I share Sam's concern, I also think that silence does not suffice
>to go forward.

We have IMHO a consensus on the document, what I need to know from
the working group member is if this change does affect their understanding
and expectations of the protocol.
This is a form of consensus call and should be just fine as the
explicit way to judge the consensuses is expressed.

>NSEC3 is a very complicated protocol extention. Few people, even
>in this WG, really understand the issues at hand, those who do,
>should speak up and guarantee the rest of us that all issues are
>now solved,

This is not a fair request without you saying what you mean by
"guarantee the rest of us that all issues are now solved".
Is this a guarantee that the expert has to pay penalty if she/he is wrong?
Did you mean to say "assert that he/she knows of NO issues with the 
current specification".

         Olafur

--

(Continue reading)

Ted Lindgreen | 5 Dec 2007 21:08

Picon

Re: NSEC3, version 13

[Quoting =?iso-8859-1?Q?=D3lafur?= =?iso-8859-1?Q?_Gu=F0mundsson?= /DNSEXT chair, on Dec  5, 19:19,
in "Re: NSEC3, version 1 ..."]

> This is not a fair request without you saying what you mean by
> "guarantee the rest of us that all issues are now solved".
> Is this a guarantee that the expert has to pay penalty if she/he is wrong?
> Did you mean to say "assert that he/she knows of NO issues with the 
> current specification".

I meant the latter,
-- ted

--
to unsubscribe send a message to namedroppers-request <at> ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

roy | 6 Dec 2007 02:47

Picon

Re: NSEC3, version 13

Ted Lindgreen wrote on 11/30/2007 11:40:29 PM:

> [Quoting Sam Hartman, on Nov 30, 17:34, in "Re: NSEC3, version 1 ..."]
> 
> > However, since there are objections, I assume the chairs will also
> > call for support;silence in the presence of objections is not rough
> > consensus.
> 
> I share Sam's concern, I also think that silence does not suffice
> to go forward.
> 
> NSEC3 is a very complicated protocol extention. Few people, even
> in this WG, really understand the issues at hand, those who do,
> should speak up and guarantee the rest of us that all issues are
> now solved,

I am confident all issues are now solved. Nothing has changed in the 
normative text part of the draft for a while now (not counting the 
occasional typo).

The text that changed was section 12.1.3, which had a 4 step gradual 
transition process for zone administrators to gradually introduce NSEC3 
records with a new hash algorithm. 

Without a gradual introduction of NSEC3 records, an administrator needs to 
change the hash algorithm and the signature algorithm in a single SOA 
serial version increase (i.e. an instant transition for lack of better 
terminology). That might be a bit problematic for highly volatile or very 
large zones though I do not expect that this transition would happen 
frequently.

(Continue reading)

Peter Koch | 8 Dec 2007 08:07

Picon

Re: NSEC3, version 13

On Sat, Dec 01, 2007 at 05:46:15PM +0100, Olaf M. Kolkman wrote:

> So the change is that the basic-4 steps procedure was removed and  
> replaced with text that amounts to "We'll solve this when we get to  
> this".

I agree with the changes proposed for -13 in Roy's message dated 30 NOV.

> problem that starts with the premisses in Sam Weiler's observation:
>    "but we aren't (as far as I can tell) requiring that an NSEC3- 
> SHA256-capable resolver also support NSEC3-SHA1"

This is one underlying assumption, although it doesn't _have_ to be
that way.  The new algorithm could as well mean "SHA256 or SHA1".
Theoretically this would allow a downgrade attack, but that could be
mitigated by doing a double transition (where the intermediate state
might even be infinitesimally small):
	NSEC3-SHA1 -> NSEC3-SHAng-or-SHA1 -> NSEC3-SHAng
Alternatively, for the transition phase, both hash algs could be signalled
in the DS RR.  Either of these could again have corner cases, but locating
and arguing them is not my point.  I am confident that the WG as a whole
understands signalling and rollover well enough to address the issue
once it becomes necessary. Hash algorithm is expected to be a _rare_
event, as opposed to key rollover, so extra manual intervention or
timing constraints appear acceptable IMHO.
The exact scheme will also depend on the operational environment at that
future date and thus could be dealt with later better anyway.

> Anyhow, as far as I am concerned, this is a corner case that can be  
> dealt with later. The current text does sufficiently flag this is an

(Continue reading)

Group

gmane.ietf.dnsext.

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6

Articles in period: 50

December 2007

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Protocol Action: 'Signaling Cryptographic Algorithm Understanding in D (17 May 2013)
Updates to draft-ietf-dnsext-dnssec-algo-signal draft as a result of I (11 May 2013)
SPF, a cautionary tale (8 May 2013)
SPF, a cautionary tale (6 May 2013)
SPF, a cautionary tale (6 May 2013)
SPF, a cautionary tale (5 May 2013)
SPF, a cautionary tale (5 May 2013)
SPF, a cautionary tale (5 May 2013)
SPF, a cautionary tale (4 May 2013)
loads of TXT records for fun and profit (3 May 2013)
Effects on DNS can be severe (3 May 2013)
Code generator for DNS RR parsing/emitting (3 May 2013)
[spfbis] Obsoleting SPF RRTYPE (28 Apr 2013)
Biggest Fake Conference in Computer Science (27 Apr 2013)
[spfbis] Obsoleting SPF RRTYPE (26 Apr 2013)
[spfbis] Obsoleting SPF RRTYPE (26 Apr 2013)
getting people to use new RRTYPEs (25 Apr 2013)
Draft for OID (25 Apr 2013)
[Editorial Errata Reported] RFC6891 (3604) (24 Apr 2013)
Obsoleting SPF RRTYPE (24 Apr 2013)
Fwd: New Version Notification - draft-jabley-dnsext-eui48-eui64-rrtype (23 Apr 2013)

Archives

55	May 2013
197	April 2013
42	March 2013
29	February 2013
10	January 2013
46	December 2012
9	November 2012
90	October 2012
31	September 2012
30	August 2012
65	July 2012
62	June 2012
22	May 2012
65	April 2012
137	March 2012
97	February 2012
120	January 2012
69	December 2011
41	November 2011
192	October 2011
72	September 2011
131	August 2011
51	July 2011
122	June 2011
85	May 2011
58	April 2011
331	March 2011
324	February 2011
210	January 2011
167	December 2010
74	November 2010
138	October 2010
206	September 2010
417	August 2010
171	July 2010
297	June 2010
275	May 2010
420	April 2010
288	March 2010
341	February 2010
199	January 2010
231	December 2009
116	November 2009
177	October 2009
277	September 2009
528	August 2009
343	July 2009
518	June 2009
344	May 2009
246	April 2009
143	March 2009
139	February 2009
135	January 2009
120	December 2008
158	November 2008
239	October 2008
272	September 2008
441	August 2008
297	July 2008
189	June 2008
32	May 2008
45	April 2008
203	March 2008
224	February 2008
208	January 2008
49	December 2007
119	November 2007
77	October 2007
44	September 2007
64	August 2007
49	July 2007
66	June 2007
33	May 2007
28	April 2007
111	March 2007
49	February 2007
96	January 2007
133	December 2006
86	November 2006
139	October 2006
54	September 2006
196	August 2006
144	July 2006
179	June 2006
99	May 2006
126	April 2006
254	March 2006
161	February 2006
76	January 2006
134	December 2005
268	November 2005
207	October 2005
135	September 2005
87	August 2005
71	July 2005
189	June 2005
67	May 2005
92	April 2005
271	March 2005
134	February 2005
281	January 2005
74	December 2004
134	November 2004
164	October 2004
239	September 2004
225	August 2004
142	July 2004
460	June 2004
391	May 2004
16	April 2004
107	March 2004
129	February 2004
121	January 2004
142	December 2003
145	November 2003
199	October 2003
209	September 2003
141	August 2003
109	July 2003
231	June 2003
195	May 2003
205	April 2003
255	March 2003
426	February 2003
70	January 2003
189	December 2002
267	November 2002
91	October 2002
211	September 2002
254	August 2002
308	July 2002
254	June 2002
41	May 2002
181	April 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template