Re: [dnsext] DNSSEC, robustness, and several DS records
"George Barwood" <george.barwood@blueyonder.co.uk> Wed, 11 May 2011 17:28 UTC
Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5726BE073C for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 10:28:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.846
X-Spam-Level:
X-Spam-Status: No, score=-0.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFX8E-hJYMk8 for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 10:28:30 -0700 (PDT)
Received: from mtaout03-winn.ispmail.ntl.com (mtaout03-winn.ispmail.ntl.com [81.103.221.49]) by ietfa.amsl.com (Postfix) with ESMTP id C6E70E06D5 for <dnsext@ietf.org>; Wed, 11 May 2011 10:28:29 -0700 (PDT)
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.3]) by mtaout03-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20110511172820.OFZT3152.mtaout03-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>; Wed, 11 May 2011 18:28:20 +0100
Received: from [92.238.99.235] (helo=GeorgeLaptop) by know-smtpout-4.server.virginmedia.net with smtp (Exim 4.63) (envelope-from <george.barwood@blueyonder.co.uk>) id 1QKDCu-0002rk-AP; Wed, 11 May 2011 18:28:20 +0100
Message-ID: <C7A4C74DA86C4A5A977C0902C1D2795E@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
References: <20110511080159.GA13132@nic.fr> <63381BB3-7552-4721-B334-CFE292AA9465@vpnc.org>
Date: Wed, 11 May 2011 18:28:17 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6090
X-Cloudmark-Analysis: v=1.1 cv=R50lirqlHffDPPkwUlkuVa99MrvKdVWo//yz83qex8g= c=1 sm=0 a=iKl8fF4JqUIA:10 a=3NElcqgl2aoA:10 a=8nJEP1OIZ-IA:10 a=48vgC7mUAAAA:8 a=5-SuON1zi9r7fMb6-tAA:9 a=wPNLvfGTeEIA:10 a=HXXqCD0uysUA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
Cc: dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2011 17:28:31 -0000
> If there is a known preimage attack on SHA-1 that reduces its > effective strength to less than 128 bits, > validator implementations SHOULD ignore DS RRs containing SHA-1 > digests if DS RRs with SHA-256 digests are present in the DS RRset. The problem is that we don't know if such attacks exist, and more practically it's hard to update software. So it seems better to plan for the worst. Besides, implementations may want to use dual algorithms, for example elliptic curve plus RSA with a moderate size key, on the basis that it's unlikely that anyone would be able to break both. I really doubt having resolvers trying to fix up data errors is the way forward. I think the real fix for mishaps uploading DS records is to have better in-protocol support. The proposed CDS RRtype is aimed at this : http://www.ietf.org/mail-archive/web/dnsext/current/msg10900.html George
- [dnsext] DNSSEC, robustness, and several DS recor… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Thierry Moreau
- Re: [dnsext] DNSSEC, robustness, and several DS r… Edward Lewis
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Edward Lewis
- Re: [dnsext] DNSSEC, robustness, and several DS r… George Barwood
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephan Lagerholm
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Marc Lampo
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker