[DNSOP] Re: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc7958bis-03

On 1 Aug 2024, at 02:29, Paul Hoffman wrote: >> Is there implementation experience with the new format? What was the >> implementer feedback? > > We have heard informally that some implementers have added the new features > with no problems, but they obviously can't test it until there is a new

[DNSOP] Re: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc7958bis-03

Thanks for the review! ]On Jul 31, 2024, at 04:30, Petr Špaček via Datatracker wrote: > Reviewer: Petr Špaček > Review result: On the Right Track > > I was assigned as the dnsdir reviewer for draft-ietf-dnsop-rfc7958bis. > > For more information about the DNS Directorate, please see > https:

[DNSOP] Re: New draft on collision free key tags in DNSSEC

On Jul 31, 2024, at 09:29, Petr Špaček wrote: > > On 30. 07. 24 9:41, libor.peltan wrote: >> 2) I would still vote for allowing one keytag collision per zone (not per >> whole chain-of-trust, like Bind does) instead of none. This would be more >> comfortable for many older/simpler signers and

[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

Hi Shumon, Thanks … your replies to the questions make sense to me. Brian > On Jul 30, 2024, at 7:13 PM, Shumon Huque wrote: > > On Tue, Jul 30, 2024 at 7:51 PM Brian Weis via Datatracker > wrote: >> Reviewer: Brian Weis >> Review result: Has Nits > > Thank you for y

[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

On 7/30/24 19:40, John Levine wrote: It appears that Shumon Huque said: -=-=-=-=-=- Thank you Michael, Your observation is certainly true. However, I want to point out that inability to synthesize NXDOMAIN via aggressive negative caching applies to any online signing scheme that uses minim

[DNSOP] Re: Secdir early review of draft-ietf-dnsop-compact-denial-of-existence-04

On 7/30/24 19:22, Shumon Huque wrote: Thank you Michael, Your observation is certainly true. However, I want to point out that inability to synthesize NXDOMAIN via aggressive negative caching applies to any online signing scheme that uses minimally covering NSEC, not just Compact DoE. Yes,

[DNSOP] Re: New draft on collision free key tags in DNSSEC

On 31. 07. 24 15:56, Vladimír Čunát wrote: On 31/07/2024 15.29, Petr Špaček wrote: Per-zone limit does not defend against resource exhaustion because an attacker can construct chain of delegations a.b.c.d.e.. and max out limit on each level. Then you instantly get about 126*(per-zone limit

[DNSOP] Re: New draft on collision free key tags in DNSSEC

On 31/07/2024 15.29, Petr Špaček wrote: Per-zone limit does not defend against resource exhaustion because an attacker can construct chain of delegations a.b.c.d.e.. and max out limit on each level. Then you instantly get about 126*(per-zone limit on validations) just for this particular at

[DNSOP] Re: New draft on collision free key tags in DNSSEC

On 30. 07. 24 9:41, libor.peltan wrote: 2) I would still vote for allowing one keytag collision per zone (not per whole chain-of-trust, like Bind does) instead of none. This would be more comfortable for many older/simpler signers and not too much additional work for validating resolvers, IMHO.

[DNSOP] Re: New draft on collision free key tags in DNSSEC

On 30/07/2024 09.41, libor.peltan wrote: Anyway, it can realistically take decades before any new algorithms seize some good portion of DNSSEC. In other words, that flag day has already silently passed. I don't think that's a helpful point in time.  I assume the main target of this RFC is def

[DNSOP] Dnsdir last call review of draft-ietf-dnsop-rfc7958bis-03

Reviewer: Petr Špaček Review result: On the Right Track I was assigned as the dnsdir reviewer for draft-ietf-dnsop-rfc7958bis. For more information about the DNS Directorate, please see https://wiki.ietf.org/en/group/dnsdir Summary: On the Right Track I've read the document with fresh eyes and