> This message starts a > dnsop WG Call for Adoption of: > draft-andrews-ds-support-for-private-algorithms-02
I'm strongly object to the adoption of this draft for two reasons. 1) The effect of this draft is to make it safe to use private DNSSEC signing algorithms on the public Internet. In my opinion, we should discourage production use of private code points on the public Internet. Use of private code points leads to underspecified protocols, protocol documents that are not accessible, etc. I think we have to be extra careful with security algorithms. If I look ahead, what this draft may lead to is private PQC algorithms that are developed completely outside the IETF becoming an operational reality on the public internet. I think that's bad and we should not promote that at all. The current DS hash functions are perfectly fine for use of private algorithms in a limited environment. 2) The second issue is that RFC 4034 defines the digest field as follows: digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA); That means that an implementation can take the DNSKEY owner name and RDATA put that in a buffer as an octet string, pass it to a hash function and take the output as the DS digest field. The text in the draft seems innocent enough, however the impact can be large. I looked at my code and the impact will be significant. I don't want to add all kinds of hacks in the DS digest calculation just to support the use of private algorithms on the Internet. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
