HIPv2: cryptoagility for DNS proxy

So I should just filter the DNS answers based on the PK algorithm field in the HIP RR? Any suggestions for how I should know which algorithms the local HIP daemon supports? Generate python code based on ./configure or ask the daemon through hipconf at hipdnsproxy startup?

The algorithms can be used/discovered as follows:

hipconf daemon add hi default # enables multiple identities for hipd
hipconf daemon get hi all # lists all local identities (you can use this in the DNS proxy)

I think you should add an command line option that filters the identities because it's not needed in HIPv1 (which will co-exist in parallel with HIPv2). Detecting this is tricky because some host associations can use HIPv1 and others HIPv2 (see lp:913516). Or do the DNS records (in draft-ietf-hip-rfc5205-bis) distinguish between the two protocol versions?

Also, what do plan to do if all identities get filtered out? Return an empty response or IP addresses?

Few clarifications after some discussion with Xin:

1. I realized that the issue is irrelevant of HIP version number because (in theory) it's possible to include new algos in HIPv1.
2. Retrieving identities with "get hi all" is not an idea solution because it's just the run time identity configuration, not the actual algorithm support. For example, the following scenario works:
* Initiator and Responder support both algos A and B
* Initiator has a run-time identity for algo A and Responder for B

As the list of algorithm is quite static, I would suggest to store in in DNS proxy directly instead of querying from daemon. See the list of supported algos e.g. in hipd/hidb.c:get_public_key(). You could add a note in the file lib/core/protodefs.h near HIP_HI_xx definitions to update also DNS proxy whenever new algorithms are introduced.

This way, no new command line parameters for DNS proxy are needed and you can filter based on PK algorithm field. So, this should be quite simple.

(Note: a new hipconf option would introduce an additional bottleneck to the boot-up sequence between hipd and dnsproxy, so I am not encouraging it)

The DNS records are exactly the same for RFC5205 and RFC5205-bis.

I was planning on returning whatever the DNS proxy returns if there are no HIP records, if there are not HIP records with compatible algos.

Are there some well known HITs that use DSA instead of RSA as the algorithm or should I just generate my own for testing?

This is beginning to look suspiciously easy, but I'll just use more effort to make automated tests and refactor the huge mess that is the main loop currently.

DNS UDP responses don't seem to fit more than one HIP RR, so I'll have to implement DNS TCP client in order to get all records to filter.

Let's file this into a separate bug report.

I re-prioritized this task because this will require some feedback from the HIP WG and Xin is going to send email about this. The dual support in hipd and DNS proxy actually a bit more complicated than I originally thought; either we need a "flag day" for HIPv2 or we need to modify the specifications for smoother transition to HIPv2 (or in the future, HIPv3). The TCP client support can developed independently of this.