On Mon, 4 Mar 2013, Antoin Verschuren wrote:
That's for local policy to decide. A domain might want to profile itself as only accepting tested and secure algorithms so it's users know what to expect in that domain. A single child stepping in with it's own unsupported algorithm to try to break that expectation does not help us to a better place.
Sometimes the child is wrong, sometimes the parent is wrong. I'd say leave this all out of the discussion. Use simple DS format for CDS, the child can steer the parent, the parent decides if it will give the child their record or not.
I expected that argument. Experiments should be done in a lab. On a network that we want to be reliable and secure, experiments from children should not dictate parent policy.
Unfortunately there are bad parents around too. Like those who remove DS records for a transfer because "children do it wrong so often, we want to help them by not having their domain go dark" and instead dictate to the child they will be insecure during transfer.
I want to experiment with MD5. Could the root please supply me with MD5 signatures, as my relying party does not understand anything else..
If you want to use my domain, you should at least support the algorithms I use for the hashes in my chain of trust to the root. Anything else on top of that is fine, but you can't do without mine.
I fear the problem is more the reverse. Look at DS record and IPv6 glue adoption. Hoards of children are waiting for their parents (or baby sitting registrars) to get their act together. And don't tell me adoption was slow in purpose for "security and stability" reasons :/
If you want to experiment with algorithms in your own zone, under your own domain, with your own SEP as trust anchor, be my guest. Do that on your own level in your own tree. But don't force your parent to facilitate each and every experiment.
Having done a bunch of FIPS work, let me tell you how HARD it is to convince parents/upstream to switch from MD5 to SHA1 or better. Parents need to update their policies too. So please, cut down on the condescending parental talk :) Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
