Shumon, In section 5 your draft says:
If an Authoritative Server has no algorithms in common with the Preferred Algorithms list in the incoming query, it MUST send back a SERVFAIL response (Response Code 2). This response MUST contain the list of algorithms supported by the server in the EDNS0 Preferred Algorithms option. This is a HORRIBLE violation of the DNSSEC spirit. All validators are supposed to fail to open when they can not validate algorithm the signature is generated by. Section 6 This is hopeless algorithm, that goes against the justification of the document. basically it may force validating resolvers to fetch the answers multiple times for each TTL; once without DNSSEC, then for first algorithm, then for all algorithms ==> right now validating resolvers only fetch once with DNSSEC enabled. This is a HORRIBLE violation of the DNSSEC spirit. All validators are supposed to fail to open when they can not validate algorithm the signature is generated by. overall this draft main idea: DNS publishers should sign with more algorithms, ===> this means more keys in DNSKEY set i.e. larger DNSKEY set ==> better for DDoS Olafur On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque <[email protected]> wrote: > Hi folks, > > We've posted a new draft on algorithm negotiation which we're hoping to > discuss at IETF99 (and on list of course). I've discussed this topic with > several folks at DNS-OARC recently. > > https://tools.ietf.org/html/draft-huque-dnssec-alg-nego-00 > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Algorithm Negotiation in DNSSEC > Authors : Shumon Huque > Haya Shulman > Filename : draft-huque-dnssec-alg-nego-00.txt > Pages : 9 > Date : 2017-07-03 > > Abstract: > This document specifies a DNS extension that allows a DNS client to > specify a list of DNSSEC algorithms, in preference order, that the > client desires to use. A DNS server upon receipt of this extension > can choose to selectively respond with DNSSEC signatures using the > most preferred algorithm they support. This mechanism may make it > easier for DNS zone operators to support signing zone data > simultaneously with multiple DNSSEC algorithms, without significantly > increasing the size of DNS responses. It will also allow an easier > way to transition to new algorithms while still retaining support for > older DNS validators that do not yet support the new algorithms. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-huque-dnssec-alg-nego/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-huque-dnssec-alg-nego-00 > https://datatracker.ietf.org/doc/html/draft-huque-dnssec-alg-nego-00 > > -- > Shumon Huque > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
