Re: [dane] Digest Algorithm Agility discussion

Viktor Dukhovni <> Mon, 17 March 2014 22:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5F3C41A0646 for <>; Mon, 17 Mar 2014 15:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Y-nHo1e4jwLO for <>; Mon, 17 Mar 2014 15:53:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 068091A01D7 for <>; Mon, 17 Mar 2014 15:53:37 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 3894C2AB275; Mon, 17 Mar 2014 22:53:29 +0000 (UTC)
Date: Mon, 17 Mar 2014 22:53:29 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Digest Algorithm Agility discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Mar 2014 22:53:40 -0000

On Mon, Mar 17, 2014 at 11:23:20PM +0100, Martin Rex wrote:

> DANE does not have any "tarnished" hash algorithms.

Not yet.  The point of algorithm agility is to plan for the future.
Yes, it is currently difficult to imagine practical weaknesses in
SHA2-256, but time marches on.

> DANE does not allow SHA1 at all and needs SHA-256 as a minimum.


> The weakest "link" is therefore the hash that is used by DNSSEC
> for the digital signature of the RRSET, which currently is SHA-1.

My zones are signed, or are about to be signed with algorithm 8,

> As long as DNSSEC does not require "stronger than SHA-256", it will
> be pure bike-shedding to prefer a SHA-512 TLSA record over a SHA-256 one.

We're specifying an agility algorithm.  Nobody has to publish
SHA2-512 digests.  Only SHA2-256 is mandatory at this time.  When
SHA2-512 is published, it may as well be used in preference to

Getting the specification right from the start avoids problems

> And you probably do not want to hold your breath until DNSSEC has
> overcome SHA-1 based signatures.

There are existing zones that are signed with RSA, NSEC3, SHA256.

> The notion that hashes allowed by DANE can be ordered by strength/weakness
> is also wrong.

Nobody is suggesting ordering by the 8-bit mtype ordinal or mere
hash length.  The ordering is to be based on client-defined preference
for the underlying digest algorithms.

> In the future, hashes with the same output size might get a codepoint
> assigned and used, and some of them might not be implemented by all DANE
> clients.  

That's fine.  Servers can publish all mandatory to implement
algorithms, plus any others of their choice.

> Usage of SHA-512/256 over SHA-256 is not motivated by algorithm strength
> concerns, but rather by raw hash throughput considerations on 64-bit
> platforms.

And yet SHA2-512 likely has (absurdly) greater collision resistance
than SHA2-256.  Right now both are far out of reach of practical
attacks.  This may not always be the case, and, especially when
servers introduce various other hashes, clients may want to
use preferred digests.

I am not proposing anything particularly radical.  It is a fairly
obvious and conservative proposal.  "Negotiate" (pick from server's
menu of choices) an optimal digest algorithm and use only that one
and not the rest.

The objections are a bit surprising.  (I too would like to believe
that SHA2-256 will never be compromised, but it seems prudent to
plan for the worst).

To turn this around, why should clients run through all of the
server's published digests by default, when any one should be
enough?  Since servers don't know which algorithms clients disable
by local policy, it is a mistake to publish an object's digest with
only a subset of the algorithms used to publish other objects.