Re: [dnsext] DNSSEC, robustness, and several DS records

Tony Finch <dot@dotat.at> Thu, 12 May 2011 14:35 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6177E068E for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 07:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57FCsFl17aAJ for <dnsext@ietfa.amsl.com>; Thu, 12 May 2011 07:35:09 -0700 (PDT)
Received: from ppsw-52.csi.cam.ac.uk (ppsw-52.csi.cam.ac.uk [131.111.8.152]) by ietfa.amsl.com (Postfix) with ESMTP id 87516E0682 for <dnsext@ietf.org>; Thu, 12 May 2011 07:35:09 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:50372) by ppsw-52.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1QKWyo-0004VS-E5 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 12 May 2011 15:35:06 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1QKWyo-00076p-BQ (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 12 May 2011 15:35:06 +0100
Date: Thu, 12 May 2011 15:35:06 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
In-Reply-To: <4DCB9855.7020805@nlnetlabs.nl>
Message-ID: <alpine.LSU.2.00.1105121524400.19348@hermes-2.csi.cam.ac.uk>
References: <201105112250.p4BMoQZk020211@givry.fdupont.fr> <4DCB2E3F.4030701@dougbarton.us> <20110512015806.209E0EAF182@drugs.dv.isc.org> <4DCB4421.5020306@dougbarton.us> <1305174244.2793.8.camel@localhost> <20110512075546.GA17883@nic.fr> <4DCB9855.7020805@nlnetlabs.nl>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] DNSSEC, robustness, and several DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2011 14:35:13 -0000

W.C.A. Wijngaards <wouter@NLnetLabs.nl> wrote:
>
> The weakness in MD5 that I heard about (on slashdot I think) was that
> you could construct data that matched a particular hash.

No, it's a collision attack. You can construct two things with the same
hash. You can't construct something to match a given hash.

This discussion seems silly to me, given that SHA1 is not likely to be
vulnerable for a long time, and we will be able to stop relying on it
before attacks become practical. We can rely on sensible behaviour by
hostmasters rather than building brittleness into the protocol.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.