On Wed, Dec 30, 2020 at 10:22 PM Paul Wouters <p...@nohats.ca> wrote:
> On Dec 30, 2020, at 22:11, Daniel Migault <mglt.i...@gmail.com> wrote: > > > > > > <mglt> > > If I understand clearly the comment, it seems to say that TLS ( for > example ) is using RFC Required and that DNSSEC should do the same. Quickly > going through RFC 8447, I cannot find "RFC Required", so I am wondering if > you have a specific registry in mind. As far as I can see, the TLS cipher > suite registry requires Standard Action to set Recommended to "Y" and > Specification Required otherwise. As a result, leaving it to Standard > Action seems better aligned with what TLS does for "Recommended". > > As previously explained in this thread, you cannot compare TLS with > DNSSEC. With TLS you can offer IETF algorithms along with a nation state > algo, and the client can pick what it prefers. > > For DNSSEC, the signed zone has already made all the decisions. A DNS > client cannot decide to use or not use its local national algo. > > Paul > <mglt> I think you expand what was my response mentioned as:"Olafur comes with additional differences between DNSSEC and other security protocols." So yes that is correct. I however, do not see that contradicting that RFC Required is not so widely used - even in other security protocols. </mglt> > > > My motivation for not lowering the requirement is based on the > specificities of DNS, that is the DNS is a system handles a global shared > resource > > For those regimes who for instance are not allowed to trust RSA or > NIST/NSA based ECC curves, you prefer those zones use no DNSSEC at all > versus say GOST ? > > Because that’s what you are offering as the only choice now. > <mglt> I do not understand the reasoning. I am proposing a Standard Action requirement and as far I can see GOST [1] is Standard Track. It is unclear to me what prevents DNSSEC being deployed with GOST. [1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5933-bis/ </mglt> > > Paul > > > -- Daniel Migault Ericsson
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
