IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Ondřej Surý <ondrej.sury@nic.cz> Thu, 18 November 2010 20:36 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 418F73A68E3 for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 12:36:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[AWL=0.397, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHlIrGuOX7jh for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 12:36:53 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by core3.amsl.com (Postfix) with ESMTP id 1D5853A6834 for <dnsext@ietf.org>; Thu, 18 Nov 2010 12:36:52 -0800 (PST)
Received: from [172.20.26.41] (fw.nic.cz [217.31.207.1]) by mail.nic.cz (Postfix) with ESMTPSA id 85BA073440B for <dnsext@ietf.org>; Thu, 18 Nov 2010 21:37:39 +0100 (CET)
Message-ID: <4CE58E90.6030607@nic.cz>
Date: Thu, 18 Nov 2010 21:37:36 +0100
From: Ondřej Surý <ondrej.sury@nic.cz>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: dnsext@ietf.org
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE53927.9090203@isc.org>
In-Reply-To: <4CE53927.9090203@isc.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 20:36:54 -0000

Wouter, Jelte,

On 18.11.2010 15:33, Jelte Jansen wrote:
> IMHO, we should either do downgrade protection for all cases

I suggest we properly define what a "downgrade protection" is and how 
does it protect the zone.  I've fallen for this trap too and it helped 
me a lot to write it down.

Let's define (I skip KSK and ZSK for sake of sanity and I skip RFC5011 
for the same reason):

Algorithm A is supported.
Algorithm B is also supported.

Zone X has following properties:
   1) DS record for algorithm A
   2) DNSKEY in apex for algorithm A - DNSKEY(A)
   3) Signatures with DNSKEY(A)

Zone Y has following properties:
   1) DS record for algorithm A
   2) DNSKEY in apex for algorithm A - DNSKEY(A)
   3) DNSKEY in apex for algorithm B - DNSKEY(B)
   4) Signatures with DNSKEY(A) and DNSKEY(B)

What you are saying is that Zone Y is more secure than Zone X.  And I 
don't think so, because there is a step when you rely only on algorithm A.

Now let's add:

Zone Z has following properties
   1) DS record for algorithm A
   2) DS record for algorithm B
   3) DNSKEY in apex for algorithm A - DNSKEY(A)
   4) DNSKEY in apex for algorithm B - DNSKEY(B)
   5) Signatures with DNSKEY(A) and DNSKEY(B)

I think that only Zone Z is more secure than Zone X and Zone Y.  And 
because you don't have to keep both DS records for algorithm A and 
algorithm B in the parent zone (ie. you can just exchange the DS) then 
the key algorithm rollover can be less painful.

I would even suggest that the condition of "having the chain of trust" 
from TA to the key with a specific algorithm also applies for Sam's case 
for introducing the new "unknown" algorithm.  But I haven't given it 
much thought and I rather thing it through more before coming to any 
conclusion.

Ondrej
-- 
  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  -------------------------------------------
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury@nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112
  -------------------------------------------

v2.37.1 | Report a Bug | By Email | System Status