Re: [dnsext] DNSSEC, robustness, and several DS records

Thierry Moreau <> Wed, 11 May 2011 13:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D405AE06AF for <>; Wed, 11 May 2011 06:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F63gSUUZd3jB for <>; Wed, 11 May 2011 06:39:21 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTP id 588BBE069E for <>; Wed, 11 May 2011 06:39:21 -0700 (PDT)
Received: from [] (unknown []) by (Postfix) with ESMTPA id 708DE30290; Wed, 11 May 2011 14:47:59 -0400 (EDT)
Message-ID: <>
Date: Wed, 11 May 2011 09:45:38 -0400
From: Thierry Moreau <>
User-Agent: Thunderbird (X11/20090608)
MIME-Version: 1.0
To: Stephane Bortzmeyer <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 May 2011 13:39:21 -0000

Stephane Bortzmeyer wrote:
> A recent incident lead me to re-study the question of "what a
> validating resolver must/should do when there are several DS and some
> are invalid in some way?" AFAIK (I would be glad to be corrected
> here), the best common practice is to be lax ("DNSSEC is hard enough,
> accept any DS"), following RFC 4035, section 2.4 and 5.3.1.
> But it seems there is an "exception". RFC 4509, section 3, says that
> DS hashed with SHA-1 must be ignored when there is a DS for the same
> key hashed with SHA-2. This is to avoid downgrade attacks.
> In the incident I was talking about, there were two DS for the same
> KSK key, one hashed with SHA-1 and one with SHA-256 and the second one
> was invalid, because of a bug (wrong Algorithm field). As a result,
> both BIND and Unbound, following RFC 4509, returned a SERVFAIL, while
> there was another and perfectly valid DS record.
> I question this rule: SHA-1 (as it is used for DNSSEC) is not broken
> and the risk of downgrade attacks is ridiculous when you compare, both
> to the other attacks on DNSSEC, and to the risk of creating an
> error. Isn't it a case of excess security, which will turn people away
> from DNSSEC (too much risk of breakage)?

Yes, it is such a case.

- Thierry Moreau