Re: [dnsext] DNSSEC, robustness, and several DS records

[Paul Hoffman <paul.hoffman@vpnc.org>]

On May 11, 2011, at 10:28 AM, George Barwood wrote:

>>  If there is a known preimage attack on SHA-1 that reduces its
>>  effective strength to less than 128 bits,
>>  validator implementations SHOULD ignore DS RRs containing SHA-1
>>  digests if DS RRs with SHA-256 digests are present in the DS RRset.
> 
> The problem is that we don't know if such attacks exist, and more practically
> it's hard to update software.

The first phrase is not true, and the second is not terribly relevant.

- There have been no known preimage attacks on SHA-1. When there is, the world will hear about it. And, before you say "but we might not hear about it", please understand that you can say exactly the same thing about RSA signatures themselves. Either you live with "the crypto experts will tell us when some component is unsafe", or you just freeze and don't do anything.

- If there is a preimage attack on SHA-1, or a much better attack on RSA, or...or...or..., then the software will have to be updated. It will will be hard to do so in some cases, but not in others.

> So it seems better to plan for the worst.

That logic leads to banning SHA-1 outright immediately. And yet the WG (correctly, IMNSHO) decided not to.

> Besides, implementations may want to use dual algorithms, for example
> elliptic curve plus RSA with a moderate size key, on the basis that it's
> unlikely that anyone would be able to break both.

To date, the tools used to weaken hashes are not the same as those used to weaken signature algorithms, so this sentence doesn't make sense in the current world.

> I really doubt having resolvers trying to fix up data errors is the way forward.

Fully agree.

--Paul Hoffman