Deprecate usage of ECC-GOST within DNSSEC
draft-ietf-dnsop-must-not-ecc-gost-07
Yes
Deb Cooley
No Objection
Andy Newton
Erik Kline
Gunter Van de Velde
Jim Guichard
Mahesh Jethanandani
Mike Bishop
Note: This ballot was opened for revision 03 and is now closed.
Deb Cooley
Yes
Éric Vyncke
Yes
Comment
(2025-03-06 for -03)
Not sent
This document is part of a group of 3 I-D. I suggest to start reviewing draft-ietf-dnsop-rfc8624-bis-07 first.
Gorry Fairhurst
Yes
Comment
(2025-04-27 for -04)
Sent
Thank you for preparing this short and clear document. The abstract mentions “ECC-GOST” “DNSSEC” in the first line, it would be helpful to define each when they are first used.
Paul Wouters
Yes
Comment
(2025-03-06 for -03)
Sent
This document retires the use of ECC-GOST within DNSSEC.
I know ECC-GOST is the mnemonic for value 12, but I think it is confusing since there is another GOST that is also ECC?
Maybe say:
retures the use of GOST R 34.10-2001 (mnemonic "ECC-GOST")
In the Security or Operational considerations, it would be mentioned this was never deployed beyond a few test zones and the Russian NIC?
And it should say those using it fall back from DNSSEC to DNS, but that is not a big concern because it never saw any real deployment.
Andy Newton
No Objection
Erik Kline
No Objection
Gunter Van de Velde
No Objection
Jim Guichard
No Objection
Ketan Talaulikar
No Objection
Comment
(2025-05-16 for -04)
Sent
Thanks to the authors and the WG for the work on this document. My comments are specifically related to the document status and not the sum and substance. 1) It seems odd (even wrong?) to update an RFC that has been marked historic. I would suggest to not do that please. 2) Instead this document could update RFC 9364 which is the BCP for DNSsec. It can do that by "inserting" an section related to obsoleted (and MUST NOT use) technologies into that BCP. Start off by putting the ones that are being obsoleted in this document in their and perhaps there may be more such that come up down the line (with future documents that keep that "obsoleted" section up to date?). It seemed to me like a better way to go about this? 3) The IANA marking part could be done in the parallelly progressing document draft-ietf-dnsop-rfc8624-bis with a reference to this document. I am assuming that doing just this step is not sufficient as we want additional text/color about this obsolesce? Please do correct my understanding if I've misunderstood the game here ... for my own education :-)
Mahesh Jethanandani
No Objection
Mike Bishop
No Objection
Mohamed Boucadair
No Objection
Comment
(2025-05-11 for -04)
Sent
Hi Wes/Warren, Thank you for effort put into this specification. Please find below some comments: # Update CURRENT: Updates: 5933 (if approved) The update to 5933 is not needed here given that the registry already tags 12 as deprecated. # Why a separate document? It is tempting to ask why this is not handled as part of draft-ietf-dnsop-rfc8624, though. Cheers, Med
Orie Steele
No Objection
Comment
(2025-05-19 for -04)
Sent
# Orie Steele, ART AD, comments for draft-ietf-dnsop-must-not-ecc-gost-04 CC @OR13 * line numbers: - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-dnsop-must-not-ecc-gost-04.txt&submitcheck=True * comment syntax: - https://github.com/mnot/ietf-comments/blob/main/format.md * "Handling Ballot Positions": - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/ ## Comments Thanks to Barry Leiba for the ARTART review. I support Roman's discuss, and Ketan's comments. ### insecure vs not recognized ``` 99 The GOST R 34.11-94 [RFC5933] algorithm MUST NOT be used when 100 creating DS records. Validating resolvers MUST treat GOST R 34.11-94 101 DS records as insecure. If no other DS records of accepted 102 cryptographic algorithms are available, the DNS records below the 103 delegation point MUST be treated as insecure. ``` Perhaps use similar text to draft-ietf-dnsop-must-not-sha1-06: ``` Validating resolvers deployed in more security strict environments MAY wish to treat these RRSIG records as an unsupported algorithm. ``` I'm not familiar with the differences between these cases, but it seems like an opportunity to use similar language.
Roman Danyliw
(was Discuss)
No Objection
Comment
(2025-05-22 for -06)
Sent
** Abstract This document retires the use of ECC-GOST within DNSSEC. I acknowledge that neither “retired” or “historic” (as used in -04) are well defined. In my view, "ECC-GOST" is already "retired". RFC5933 has historic status. Additionally, even without this document making registry updates: -- https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml already records this code point as deprecated, “GOST R 34.10-2001 (DEPRECATED)”. -- https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml does the same with “GOST R 34.11-94” by noting a status of “DEPRECATED”. Practically, I don’t understand the rationale for a separate document to explicitly map “DEPRECATED” to “MUST NOT” and why this couldn’t have just been done with draft-ietf-dnsop-rfc8624-bis-09. In his ballot on draft-ietf-dnsop-rfc8624-bis, Med points out that RSAMD5, also marked as DEPRECATED, was updated in the registry without a separate document. ** Section 1. Thus, the use of GOST R 34.10-2001 (mnemonic GOST-ECC) and and GOST R 34.11-94 is no longer recommended for use in DNSSEC [RFC9364]. -- The text here says, “no longer recommended”, but in Section 2 a much strong statement of “MUST NOT” is use. Those don’t seem congruent. ** Section 1. These sentences appear to conflict: (a) The use of GOST 34.10-2012 and GOST 34.11-2012 in DNSSEC is documented in [RFC9558], and so [RFC5933] has been made Historic. (b) Thus, the use of GOST R 34.10-2001 (mnemonic GOST-ECC) and GOST R 34.11-94 is no longer recommended for use in DNSSEC [RFC9364]. (c) Note that this document does not change or discuss the use of GOST 34.10-2012 and GOST 34.11-2012. By citing RFC9558, sentence (a) "discusses" the use of GOST 34.10-2012/GOST 34.11-2012 which sentence (c) said the text would not do. Recommend removing sentences (a) and (c).