Re: [dnsext] DNSSEC, robustness, and several DS records
Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 12 May 2011 08:00 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED968E06C2 for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 01:00:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.249
X-Spam-Level:
X-Spam-Status: No, score=-110.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXQM1P+MinXs for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 01:00:49 -0700 (PDT)
Received: from mx2.nic.fr (mx2.nic.fr [192.134.4.11]) by ietfa.amsl.com (Postfix) with ESMTP id 04E78E0665 for <dnsext@ietf.org>; Thu, 12 May 2011 01:00:49 -0700 (PDT)
Received: from mx2.nic.fr (localhost [127.0.0.1]) by mx2.nic.fr (Postfix) with SMTP id 85FE21C0109; Thu, 12 May 2011 09:55:46 +0200 (CEST)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx2.nic.fr (Postfix) with ESMTP id 802231C00FE; Thu, 12 May 2011 09:55:46 +0200 (CEST)
Received: from bortzmeyer.nic.fr (batilda.nic.fr [192.134.4.69]) by relay1.nic.fr (Postfix) with ESMTP id 7D6B556812C; Thu, 12 May 2011 09:55:46 +0200 (CEST)
Date: Thu, 12 May 2011 09:55:46 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Matt McCutchen <matt@mattmccutchen.net>
Message-ID: <20110512075546.GA17883@nic.fr>
References: <201105112250.p4BMoQZk020211@givry.fdupont.fr> <4DCB2E3F.4030701@dougbarton.us> <20110512015806.209E0EAF182@drugs.dv.isc.org> <4DCB4421.5020306@dougbarton.us> <1305174244.2793.8.camel@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1305174244.2793.8.camel@localhost>
X-Operating-System: Debian GNU/Linux 6.0.1
X-Kernel: Linux 2.6.32-5-686 i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 08:00:50 -0000
On Thu, May 12, 2011 at 12:24:04AM -0400, Matt McCutchen <matt@mattmccutchen.net> wrote a message of 25 lines which said: > The question is what the resolver should do if it gets a DNSKEY that > matches a SHA-1 DS but doesn't match any SHA-256 DS. It has no way > to distinguish a mistake in the SHA-256 DS data in the original zone > from a downgrade attack. Can you explain how such an attack could be possible? Since the DS record set is signed, modifying the SHA-256 record to make it invalid (so the bad guy can attack SHA-1 with clever cryptanalysis) is not possible (unless the bad guy can attack the provisioning channel and, in this case, you're toasted, whatever the RFC says). [Doug Barton already made more or less the same argument, if I understand him correctly.]
- [dnsext] DNSSEC, robustness, and several DS recor… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Thierry Moreau
- Re: [dnsext] DNSSEC, robustness, and several DS r… Edward Lewis
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Edward Lewis
- Re: [dnsext] DNSSEC, robustness, and several DS r… George Barwood
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] dnsextDNSSEC, robustness, and severa… Wes Hardaker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Mark Andrews
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephan Lagerholm
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Marc Lampo
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… Stephane Bortzmeyer
- Re: [dnsext] DNSSEC, robustness, and several DS r… W.C.A. Wijngaards
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Paul Hoffman
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Matt McCutchen
- Re: [dnsext] DNSSEC, robustness, and several DS r… Doug Barton
- Re: [dnsext] DNSSEC, robustness, and several DS r… Francis Dupont
- Re: [dnsext] DNSSEC, robustness, and several DS r… Brian Dickson
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker
- Re: [dnsext] DNSSEC, robustness, and several DS r… Tony Finch
- Re: [dnsext] DNSSEC, robustness, and several DS r… Phillip Hallam-Baker