Admittedly having not read past the abstract and responding to Scott's message - Scott is right on a point I think is underplayed.
The protocol parameter registry is titled "DNS Security Algorithm Numbers", see: http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 ...it's not DNSSEC Cryptographic Algorithms Numbers. A DNS security algorithm number indicates a combination of a cryptographic algorithm *and* a hashing algorithm, plus a little of signaling of NSEC3 awareness. E.g., registered numbers 1, 5, 6, 7, 8, and 10 are all RSA while 8 and 13 use SHA-256. And, as Scott reports, there are no cryptographic algorithms exclusively used in DNSSEC. On 12/1/16, 16:02, "DNSOP on behalf of Rose, Scott" <dnsop-boun...@ietf.org on behalf of scott.r...@nist.gov> wrote: I have read the draft and support it being made into a WG document. I do have some minor comments - none that change the tone of the document: 1. Introduction 5th paragraph “DNSSEC algorithms are used…” Probably should be “DNSSEC registered algorithms…” There are no crypto algorithms that are part of DNSSEC only, just defined for use with DNSSEC. 2. There is also RFC 6975 - algorithm signaling in DNSSEC. I don’t know how widely deployed or used the EDNS option is, but it was proposed to help gather data about this very thing. Scott On 15 Nov 2016, at 7:41, Dan York wrote: As mentioned at the very end of DNSOP, Olafur Gudmundsson, Ondrej Sury, Paul Wouters and I have a draft published that aims to document the steps involved with deploying a new cryptographic algorithm for DNSSEC. The overall goal is to make it easier to get new DNSSEC crypto algorithms deployed, both through documenting existing steps - and then potentially building off of this work with new documents to improve some of the steps. Right now we'd like to get ECDSA out, but EdDSA is coming out soon and it would be great to get that deployed sooner rather than later. As I said in the session, we'd like to get reviewers and then get the document adopted by the WG and moved along toward publication. The draft is at either of: https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/[datatracker.ietf.org] https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-04[tools.ietf.org] Please send any comments to the list or to us as authors. I also am maintaining this over in Github at: https://github.com/danyork/draft-deploying-dnssec-crypto-algs[github.com] If you are a Github user you are welcome to file an issue there or send text in a pull request. Regardless, we'd just like any feedback (even if to say that it looks good). Thanks, Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.org +1-802-735-1624 Jabber: y...@jabber.isoc.org Skype: danyork http://twitter.com/danyork[twitter.com] http://www.internetsociety.org/[internetsociety.org] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop[ietf.org] ================================== Scott Rose, NIST sco...@nist.gov ph: +1-301-975-8439 Google Voice: +1-571-249-3671
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
