Re: [dnsext] DNSSEC, robustness, and several DS records

Thierry Moreau <thierry.moreau@connotech.com> Wed, 11 May 2011 13:39 UTC

Return-Path: <thierry.moreau@connotech.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D405AE06AF for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 06:39:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F63gSUUZd3jB for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 06:39:21 -0700 (PDT)
Received: from bretelle.intaglionic.org (unknown [76.10.176.241]) by ietfa.amsl.com (Postfix) with ESMTP id 588BBE069E for <dnsext@ietf.org>; Wed, 11 May 2011 06:39:21 -0700 (PDT)
Received: from [192.168.1.200] (unknown [192.168.1.200]) by bretelle.intaglionic.org (Postfix) with ESMTPA id 708DE30290; Wed, 11 May 2011 14:47:59 -0400 (EDT)
Message-ID: <4DCA9302.5010102@connotech.com>
Date: Wed, 11 May 2011 09:45:38 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Thunderbird 2.0.0.17 (X11/20090608)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <20110511080159.GA13132@nic.fr>
In-Reply-To: <20110511080159.GA13132@nic.fr>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2011 13:39:21 -0000

Stephane Bortzmeyer wrote:
> A recent incident lead me to re-study the question of "what a
> validating resolver must/should do when there are several DS and some
> are invalid in some way?" AFAIK (I would be glad to be corrected
> here), the best common practice is to be lax ("DNSSEC is hard enough,
> accept any DS"), following RFC 4035, section 2.4 and 5.3.1.
> 
> But it seems there is an "exception". RFC 4509, section 3, says that
> DS hashed with SHA-1 must be ignored when there is a DS for the same
> key hashed with SHA-2. This is to avoid downgrade attacks.
> 
> In the incident I was talking about, there were two DS for the same
> KSK key, one hashed with SHA-1 and one with SHA-256 and the second one
> was invalid, because of a bug (wrong Algorithm field). As a result,
> both BIND and Unbound, following RFC 4509, returned a SERVFAIL, while
> there was another and perfectly valid DS record.
> 
> I question this rule: SHA-1 (as it is used for DNSSEC) is not broken
> and the risk of downgrade attacks is ridiculous when you compare, both
> to the other attacks on DNSSEC, and to the risk of creating an
> error. Isn't it a case of excess security, which will turn people away
> from DNSSEC (too much risk of breakage)?

Yes, it is such a case.

-- 
- Thierry Moreau