Admittedly having not read past the abstract and responding to Scott's message 
- Scott is right on a point I think is underplayed.

The protocol parameter registry is titled "DNS Security Algorithm Numbers", see:
  
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1

...it's not DNSSEC Cryptographic Algorithms Numbers.

A DNS security algorithm number indicates a combination of a cryptographic 
algorithm *and* a hashing algorithm, plus a little of signaling of NSEC3 
awareness.  E.g., registered numbers 1, 5, 6, 7, 8, and 10 are all RSA while 8 
and 13 use SHA-256.

And, as Scott reports, there are no cryptographic algorithms exclusively used 
in DNSSEC.

On 12/1/16, 16:02, "DNSOP on behalf of Rose, Scott" <dnsop-boun...@ietf.org on 
behalf of scott.r...@nist.gov> wrote:

I have read the draft and support it being made into a WG document. 
I do have some minor comments - none that change the tone of the document:
1. Introduction 5th paragraph
“DNSSEC algorithms are used…” Probably should be “DNSSEC registered 
algorithms…” There are no crypto algorithms that are part of DNSSEC only, just 
defined for use with DNSSEC.
2. There is also RFC 6975 - algorithm signaling in DNSSEC. I don’t know how 
widely deployed or used the EDNS option is, but it was proposed to help gather 
data about this very thing.
Scott

On 15 Nov 2016, at 7:41, Dan York wrote:
As mentioned at the very end of DNSOP, Olafur Gudmundsson, Ondrej Sury, Paul 
Wouters and I have a draft published that aims to document the steps involved 
with deploying a new cryptographic algorithm for DNSSEC. The overall goal is to 
make it easier to get new DNSSEC crypto algorithms deployed, both through 
documenting existing steps - and then potentially building off of this  work 
with new documents to improve some of the steps.  Right now we'd like to get 
ECDSA out, but EdDSA is coming out soon and it would be great to get that 
deployed sooner rather than later.

As I said in the session, we'd like to get reviewers and then get the document 
adopted by the WG and moved along toward publication.

The draft is at either of:

https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/[datatracker.ietf.org]
 
https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-04[tools.ietf.org]

Please send any comments to the list or to us as authors.

I also am maintaining this over in Github at: 
https://github.com/danyork/draft-deploying-dnssec-crypto-algs[github.com]  If 
you are a Github user you are welcome to file an issue there or send text in a 
pull request.

Regardless, we'd just like any feedback (even if to say that it looks good).

Thanks,
Dan



--
Dan York
Senior Content Strategist, Internet Society
y...@isoc.org   +1-802-735-1624
Jabber: y...@jabber.isoc.org 
Skype: danyork   http://twitter.com/danyork[twitter.com]

http://www.internetsociety.org/[internetsociety.org]



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop[ietf.org]

==================================
Scott Rose, NIST
sco...@nist.gov
ph: +1-301-975-8439
Google Voice: +1-571-249-3671

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to