Upload
scott-warner
View
216
Download
0
Embed Size (px)
Citation preview
DNSSEC allocations
DNSEXT chairs
IETF-75
Stockholm 2009/07/29
Introduction
• DNSSEC has following registries where algorithms can be registered– DNSKEY/RRSIG/KEY algorithm
• 7 codes assigned out of 250– DS digest algorithm
• 2 out of 254– NSEC3 obfuscation function
• 1 out of 254 – TSIG hash function
• 8 names allocated
• Allocation for all these is currently “Standards action”
Issue: What is the appropriate action ?
• Standards action– WG and IESG must agree to the action.
• Experimental/Informational RFC– RFC published
• WG will loose veto power but might be able to influence outcome
• Expert Review – WG and IESG are out of the picture
• But WG and AD’s appoint the experts.
• Others: – FCFS not applicable – Close registry once we get unbreakable alg.
Required/Optional• Currently most DNSKEY algorithms are “required”
– The registry has a field saying if algorithm can sign a zone, RSA/MD5 and DH can not sign zones?
• http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
• DS algorithms– Currently both required, envisioned required and retired– http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml
• NSEC3 new algorithms require protocol and implementation changes – Optional out of the question ? – http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml
• TSIG– WG will be adding the concept of optional and “not-recommended” to
the registry soon. – http://www.iana.org/assignments/tsig-algorithm-names
Possible Paths forward
• What is right in for one registry may not be the right action for a different one.
• Options:– Do nothing i.e. keep current state – Sponsor a document defining the new
“actions” – Examine the issues and make a decision later
BUT: • Following new algorithms have been proposed:
– DNSKEY RSA/SHA256– DNSKEY GOST R 34.10-2001– DNSKEY ECDSAP224SHA256– DNSKEY ECDSAP256SHA256– DNSKEY ECDSAP384SHA384– DNSKEY DSA2048SHA256– DS SHA384– DS GOST R 34.11-94
• After the NIST SHA-3 competition concludes expect more proposals.• Effort required to develop a new Public Key algorithm
– 1999: Quite difficult – 2009: Easy
• ECC curve + digest function • RSA + digest function• DSA + digest function
Goal
• We need concrete and fair criteria in evaluating new submissions– How to pick among “equivalent” submissions.
• We need statement from WG/IAB on the “harm” of adding new algorithms:– None, some, serious, ….
Open mic