[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q2: crypto algorithm requirements for DNSSEC

To: <namedroppers@ops.ietf.org>
Subject: Re: Q2: crypto algorithm requirements for DNSSEC
From: "Scott Rose" <scottr@nist.gov>
Date: Wed, 12 Feb 2003 13:33:06 -0500
References: <4E25ECBBC03F874CBAD03399254ADFDE104A87@US-Columbia-CIST.mail.saic.com>

Correct.  I was taking "implementation" to mean "the resolver should be
capable of verifying a SIG using algorithm X"    That is slightly different
that saying that all zone RR sets must have SIGs using multiple algorithms.

Although that point does deserve discussion:   If DSA is still  "REQUIRED",
does that mean each zone should have both a RSA/SHA1 SIG and DSA SIG for
each RR set?

I'm asking becuase I don't know what the answer should be.  I don't know if
there is a concensus what entails when there are multiple REQUIRED
algorithms.

Scott
(term nitpick - my use of "resolver" is used to mean "a security aware
resolver/verifier" in the above).

----- Original Message -----
From: "Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
>
> > There has been previous talk on this list regarding dropping DSA as a
> > mandatory to implement algorithm.  Instead of writing a whole RFC just
to
> > propose making DSA optional and RSA/SHA1 the only required algorithm, it
> > would be nice to seek consensus here.
>   [Table and other discussion elided]
> > Q:  Is the change of DSA to OPTIONAL  acceptable?  That will leave only
> > RSA/SHA1 as the only mandatory to implement algorithm.
>
> I agree that any requirement that folks MUST USE both RSA and DSA (must
> sign each record with both) is over-engineering, and actually provides
> no added security while having a significant operational cost (sorry,
> have to disagree with Mark A. on this one).
>
> I don't think that's what Scott originally asked, though, which is why
> I piped up in the first place.  Did I miss something?
>
>   --Rip
>
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: Q2: crypto algorithm requirements for DNSSEC
  - From: Miek Gieben <miekg@atoom.net>

References:
- RE: Q2: crypto algorithm requirements for DNSSEC
  - From: "Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>

Prev by Date: RE: Q2: crypto algorithm requirements for DNSSEC
Next by Date: Re: Q2: crypto algorithm requirements for DNSSEC
Previous by thread: RE: Q2: crypto algorithm requirements for DNSSEC
Next by thread: Re: Q2: crypto algorithm requirements for DNSSEC
Index(es):
- Date
- Thread