IETF Logo Mail Archive

Re: [dnsext] DS digest downgrade

Matt McCutchen <matt@mattmccutchen.net> Thu, 24 March 2011 02:46 UTC

Return-Path: <matt@mattmccutchen.net>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5EFF53A67B7 for <dnsext@core3.amsl.com>; Wed, 23 Mar 2011 19:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K75rwsVuLT2w for <dnsext@core3.amsl.com>; Wed, 23 Mar 2011 19:46:32 -0700 (PDT)
Received: from homiemail-a10.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by core3.amsl.com (Postfix) with ESMTP id 599943A67B6 for <dnsext@ietf.org>; Wed, 23 Mar 2011 19:46:32 -0700 (PDT)
Received: from homiemail-a10.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a10.g.dreamhost.com (Postfix) with ESMTP id D46C0280065 for <dnsext@ietf.org>; Wed, 23 Mar 2011 19:48:06 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:in-reply-to:content-type:date:message-id:mime-version: content-transfer-encoding; q=dns; s=mattmccutchen.net; b=FTQHaas CS6uEw5OC8IoLbtsSoxi2YOyB9ATKfElytFEughTultvYF3M0avEwq1Len6jyPtJ wIuz7sE8AcvMMUirf13f3c3RuOx1NUzwFuw3Wzdb3xbTDmLeekvCrVMNm93YCH/+ 1o5Q+iiwCl5xHRAg36KJXbexGP/isWcWTGj8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:in-reply-to:content-type:date:message-id :mime-version:content-transfer-encoding; s=mattmccutchen.net; bh=xa5IpJjk7ArOX9HiBYF1iOpbDA0=; b=tANxQ6yj99MRYL3/OWr+X4cUpaHj zSnRkHUiQmFX01zeFJeMhKXvRn7tlYw+bIB+CFnbCGzJ6O/gm8+VRVY0KAGghweY Sy5er2947CoH+PnNtkzdb9M/673Y4vnWYgtGBNfLn7bphj0RuEklclHCg3iga/8Z dKC9zNZdhtB/Fb8=
Received: from [192.168.1.40] (pool-96-231-2-98.washdc.east.verizon.net [96.231.2.98]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a10.g.dreamhost.com (Postfix) with ESMTPA id 84CC6280063 for <dnsext@ietf.org>; Wed, 23 Mar 2011 19:48:06 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: dnsext@ietf.org
In-Reply-To: <51C21B4C57014630B72B50B919271C89@local>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 23 Mar 2011 22:48:05 -0400
Message-ID: <1300934885.2117.219.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3
Content-Transfer-Encoding: 7bit
Subject: Re: [dnsext] DS digest downgrade
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2011 02:46:33 -0000

[Note, I made the initial allegation of this issue in the dane/keyassure
group.]

On Mon, 2011-23-21 at 23:13 -0000, George Barwood wrote:
> Ok, I see it now, section 3
> 
>    Validator implementations SHOULD ignore DS RRs containing SHA-1
>    digests if DS RRs with SHA-256 digests are present in the DS RRset.

I wasn't aware of this.  I did not think to check the specifications of
individual algorithms; I would have expected a specification that
modifies the validation requirements like this to update RFC 4035.  I
have submitted an erratum to this effect.

Ad-hoc SHOULD-level statements for validators are no way to achieve a
fundamental security property, and leaving the implications for the DNS
administrator as an exercise to the reader is no way to achieve
interoperability.  In my view, the issue cannot be considered resolved
until there is a single document that states the uniformity requirement
for DS records and a MUST-level requirement for validators in an
algorithm-general way.

-- 
Matt

v2.23.0 | Report a Bug | By Email