Re: [dnsext] DNSSEC, robustness, and several DS records
"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Wed, 11 May 2011 14:28 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8864DE07DA for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 07:28:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.504
X-Spam-Level:
X-Spam-Status: No, score=-1.504 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JWAFNx7DqTx9 for <dnsext@ietfa.amsl.com>; Wed, 11 May 2011 07:28:58 -0700 (PDT)
Received: from rotring.dds.nl (rotring.dds.nl [85.17.178.138]) by ietfa.amsl.com (Postfix) with ESMTP id 5B80CE0728 for <dnsext@ietf.org>; Wed, 11 May 2011 07:28:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by rotring.dds.nl (Postfix) with ESMTP id DE66D581B7 for <dnsext@ietf.org>; Wed, 11 May 2011 16:28:52 +0200 (CEST)
Received: from [192.168.254.2] (195-241-9-117.adsl.dds.nl [195.241.9.117]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rotring.dds.nl (Postfix) with ESMTPSA id 67C6B58CF6 for <dnsext@ietf.org>; Wed, 11 May 2011 16:28:44 +0200 (CEST)
Message-ID: <4DCA9D12.9080402@nlnetlabs.nl>
Date: Wed, 11 May 2011 16:28:34 +0200
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110414 SUSE/3.1.10 Thunderbird/3.1.10
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20110511080159.GA13132@nic.fr> <a06240801c9f04404083f@[10.31.203.215]>
In-Reply-To: <a06240801c9f04404083f@[10.31.203.215]>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.97 at rotring
X-Virus-Status: Clean
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2011 14:28:59 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On 05/11/2011 03:57 PM, Edward Lewis wrote: > At 10:01 +0200 5/11/11, Stephane Bortzmeyer wrote: >> But it seems there is an "exception". RFC 4509, section 3, says that >> DS hashed with SHA-1 must be ignored when there is a DS for the same >> key hashed with SHA-2. This is to avoid downgrade attacks. > > The overriding policy is still "local policy rules." It is fine for the The policy that unbound uses for DS hash algorithm is this: it picks its favorite (i.e. the strongest) algorithm from the set of available ones, and ignores the others. This works for algorithms other than SHA1 and SHA2, and gives RFC 4509 behaviour for SHA1 and SHA2. There would be algorithm protection if you checked all the available DS hash algorithms. But we did not implement this because RFC 4509 says otherwise. The favorite DS hash algorithm for unbound is the one with the highest DS algorithm number. This is an implementation trick. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNyp0SAAoJEJ9vHC1+BF+Ncv8P/2IkN1ovzAMtgqYDRRtXzT1L awaQxBtLByMguW/zlfU+AqaD+H6w2xGXtWQusv921XzjplsHt7iHQY4veR93lK0A g9VliN84QyRX3WFcLoIJ7Cu9hisZ6dPv/GICExDnu+MZWXusQB/9xs9Y9cOkt21U 4BKbulL+Heew938ivCs0euzhLwHcIO6sAXcl9IgQDyybBBtNO5lbEeG88D1bUYvw sDYuXbM6DkOwPovH+Jdix2w1I3lakmxUtFowvgjSazcpnLN1Zqn4gx8/UZmwOzG8 PCphylZwumbgmLvLG8wpWxRAisYq/7915mVj3yv4848Ke3y5PklPTUSDyzmp/P9B 2ljE+A2sSfVcrUAcgI0pj1gQHOpl1LibzSJdIvclg4VFrfZLOUIEog8DIGE0zucc U1m9UtPnZDlEwNFQu/UUQpEOP0a1/n7mESIj2Z5B8/ZNM39t6uICn8lKWmzcvybk RCQRcQ+CAhlrMBxXC2aZ0X6ibvJN40XHKXS+cmJwQ4HDNpi2saUckVwtlxxBy/cR YrGWXQUTu9vG+SAl4VXN2Qpr+uKV11VfG1XBjGqeelGBQtORWgI2K9lmaUpgl6cr dOSP9JIe6PoLzRQYO97AJpiZZPMcvIHHfRTo3L9QcGqiBGXaQtkXxBfHXFlp4tnW m8JLnHSXuLbdJr1QfB+x =8NI6 -----END PGP SIGNATURE-----
- [dnsext] DNSSEC, robustness, and several DS recor… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Thierry Moreau
- Re: [dnsext] DNSSEC, robustness, and several DS r… Edward Lewis
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Edward Lewis
- Re: [dnsext] DNSSEC, robustness, and several DS r… George Barwood
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephan Lagerholm
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Marc Lampo
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker