Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Thu, Jul 20, 2017 at 11:48 AM, Willem Toorop wrote: > Op 20-07-17 om 10:45 schreef Shumon Huque: > > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson > > > wrote: > > > > > > I disagree, if a zone operator

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Op 20-07-17 om 10:45 schreef Shumon Huque: > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson > > wrote: > > > I disagree, if a zone operator selects "less-than" common algorithm > they do that at their own risk, > if the risk

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Thu, Jul 20, 2017 at 10:45 AM, Shumon Huque wrote: > On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson < > ola...@cloudflare.com> wrote: >> >> >> I disagree, if a zone operator selects "less-than" common algorithm they >> do that at their own risk, >> if the risk is not

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Thu, Jul 20, 2017 at 10:39 AM, Ólafur Guðmundsson wrote: > > > I disagree, if a zone operator selects "less-than" common algorithm they > do that at their own risk, > if the risk is not acceptable then it should dual sign > Yes. The point I was trying to make is

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Tue, Jul 11, 2017 at 12:16 AM, Shumon Huque wrote: > On Mon, Jul 10, 2017 at 5:01 PM, Ólafur Guðmundsson > wrote: > >> Shumon, >> >> In section 5 your draft says: >> >>If an Authoritative Server has no algorithms in common with the >>

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Thu, Jul 20, 2017 at 9:51 AM, Stephane Bortzmeyer wrote: > On Wed, Jul 19, 2017 at 02:28:37PM +0200, > Shumon Huque wrote > a message of 153 lines which said: > > > > Suppose I send the list ECDSA;RSA, and I receive only ECDSA > > > signatures. How the

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Wed, Jul 19, 2017 at 10:49 AM, Stephane Bortzmeyer wrote: > On Tue, Jul 04, 2017 at 11:42:56AM -0400, > Shumon Huque wrote > a message of 108 lines which said: > > > We've posted a new draft on algorithm negotiation which we're hoping to > > discuss at

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Tue, Jul 04, 2017 at 11:42:56AM -0400, Shumon Huque wrote a message of 108 lines which said: > We've posted a new draft on algorithm negotiation which we're hoping to > discuss at IETF99 For the discussion on thursday: > In contrast, many other security protocols, like

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, Jul 10, 2017 at 6:41 PM, Mark Andrews wrote: > > > > I also don't want to deploy only Ed448 and cause my zone to be instantly > > treated as unsigned by the vast majority of resolvers. Obviously, because > > I've nullified the security benefit of DNSSEC, but also because I

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

In message , Shumon Huque writes: > On Mon, Jul 10, 2017 at 5:00 PM, Paul Wouters wrote: > > > On Mon, 10 Jul 2017, Shumon Huque wrote: > > > > We've posted a new draft on algorithm negotiation which we're

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, Jul 10, 2017 at 5:01 PM, Ólafur Guðmundsson wrote: > Shumon, > > In section 5 your draft says: > >If an Authoritative Server has no algorithms in common with the >Preferred Algorithms list in the incoming query, it MUST send back a >SERVFAIL response

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, Jul 10, 2017 at 5:00 PM, Paul Wouters wrote: > On Mon, 10 Jul 2017, Shumon Huque wrote: > > We've posted a new draft on algorithm negotiation which we're hoping >> to discuss at IETF99 (and on list of course). I've discussed this >> topic with several folks at DNS-OARC

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

Shumon, In section 5 your draft says: If an Authoritative Server has no algorithms in common with the Preferred Algorithms list in the incoming query, it MUST send back a SERVFAIL response (Response Code 2). This response MUST contain the list of algorithms supported by the server

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, 10 Jul 2017, Shumon Huque wrote: We've posted a new draft on algorithm negotiation which we're hoping to discuss at IETF99 (and on list of course). I've discussed this topic with several folks at DNS-OARC recently.     https://tools.ietf.org/html/draft-huque-dnssec-alg-nego-00 I'm

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, Jul 10, 2017 at 2:53 PM, Shumon Huque wrote: > On Mon, Jul 10, 2017 at 1:50 PM, Bob Harold wrote: > >> >> On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque wrote: >> >>> Hi folks, >>> >>> We've posted a new draft on algorithm

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, 2017-07-10 at 13:50 -0400, Bob Harold wrote: > On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque > wrote: > > Hi folks, ... > And perhaps a really dumb off-topic question: > I do not use DNSSEC yet, mostly due to time and effort, secondly due > to concern over the

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Mon, Jul 10, 2017 at 1:50 PM, Bob Harold wrote: > > On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque wrote: > >> Hi folks, >> >> We've posted a new draft on algorithm negotiation which we're hoping to >> discuss at IETF99 (and on list of course). I've

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Tue, Jul 4, 2017 at 11:42 AM, Shumon Huque wrote: > Hi folks, > > We've posted a new draft on algorithm negotiation which we're hoping to > discuss at IETF99 (and on list of course). I've discussed this topic with > several folks at DNS-OARC recently. > >

[DNSOP] New draft: Algorithm Negotiation in DNSSEC

Hi folks, We've posted a new draft on algorithm negotiation which we're hoping to discuss at IETF99 (and on list of course). I've discussed this topic with several folks at DNS-OARC recently. https://tools.ietf.org/html/draft-huque-dnssec-alg-nego-00 A New Internet-Draft is available from