Re: [dnsext] DNSSEC, robustness, and several DS records

Doug Barton <dougb@dougbarton.us> Thu, 12 May 2011 19:05 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 333B1E0758 for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 12:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cG1AaXVWwVhs for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 12:05:39 -0700 (PDT)
Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by ietfa.amsl.com (Postfix) with ESMTP id 107E2E0718 for <dnsext@ietf.org>; Thu, 12 May 2011 12:05:38 -0700 (PDT)
Received: (qmail 29070 invoked by uid 399); 12 May 2011 19:05:34 -0000
Received: from unknown (HELO 65-241-43-5.globalsuite.net) (dougb@dougbarton.us@65.241.43.5) by mail2.fluidhosting.com with ESMTPAM; 12 May 2011 19:05:34 -0000
X-Originating-IP: 65.241.43.5
X-Sender: dougb@dougbarton.us
Message-ID: <4DCC2F7C.9020100@dougbarton.us>
Date: Thu, 12 May 2011 12:05:32 -0700
From: Doug Barton <dougb@dougbarton.us>
Organization: http://SupersetSolutions.com/
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.17) Gecko/20110429 Thunderbird/3.1.10
MIME-Version: 1.0
To: Tony Finch <dot@dotat.at>
References: <201105112250.p4BMoQZk020211@givry.fdupont.fr> <4DCB2E3F.4030701@dougbarton.us> <20110512015806.209E0EAF182@drugs.dv.isc.org> <4DCB4421.5020306@dougbarton.us> <1305174244.2793.8.camel@localhost> <20110512075546.GA17883@nic.fr> <4DCB9855.7020805@nlnetlabs.nl> <alpine.LSU.2.00.1105121524400.19348@hermes-2.csi.cam.ac.uk>
In-Reply-To: <alpine.LSU.2.00.1105121524400.19348@hermes-2.csi.cam.ac.uk>
X-Enigmail-Version: 1.1.2
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 19:05:40 -0000

On 05/12/2011 07:35, Tony Finch wrote:
> W.C.A. Wijngaards<wouter@NLnetLabs.nl>  wrote:
>>
>> The weakness in MD5 that I heard about (on slashdot I think) was that
>> you could construct data that matched a particular hash.
>
> No, it's a collision attack. You can construct two things with the same
> hash. You can't construct something to match a given hash.
>
> This discussion seems silly to me, given that SHA1 is not likely to be
> vulnerable for a long time, and we will be able to stop relying on it
> before attacks become practical. We can rely on sensible behaviour by
> hostmasters rather than building brittleness into the protocol.

Right, which, btw is an unstated assumption that I was making in my 
previous posts.

I fully agree that we need to move toward SHA-256. In fact in the past I 
advocated here that the dnssec-bis docs should eliminate SHA-1 
altogether, but I got shouted down out of respect for the "installed 
base" and deployment being "just around the corner." So if both work, 
sure, disregard SHA-1. Otherwise, go with what works.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/