IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Ondřej Surý <ondrej.sury@nic.cz> Thu, 18 November 2010 20:15 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C3823A68D4 for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 12:15:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.932
X-Spam-Level:
X-Spam-Status: No, score=-0.932 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, J_CHICKENPOX_32=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRw6fvfF+FMI for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 12:15:29 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by core3.amsl.com (Postfix) with ESMTP id 9A0C93A6811 for <dnsext@ietf.org>; Thu, 18 Nov 2010 12:15:28 -0800 (PST)
Received: from [172.20.26.41] (fw.nic.cz [217.31.207.1]) by mail.nic.cz (Postfix) with ESMTPSA id 4CE517343FF; Thu, 18 Nov 2010 21:16:13 +0100 (CET)
Message-ID: <4CE5898C.7050801@nic.cz>
Date: Thu, 18 Nov 2010 21:16:12 +0100
From: Ondřej Surý <ondrej.sury@nic.cz>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: Samuel Weiler <weiler@watson.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz> <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1011180630550.83352@fledge.watson.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: dnsext@ietf.org, "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 20:15:30 -0000

Sam,

we discussed it with Jaromir on our walk to Vatican Museum and came to 
conclusion that validating resolver only needs to stop and declare 
security problem only when there is a chain of trust leading to a key 
with a new algorithm and there are missing signatures for that algorithm.

So the resolver should return SERVFAIL only when (all conditions must 
apply):

a) there are DS records in parent zone for algorithm A and algorithm B

b) the zone has keys for algorithm A and algorithm B in the zone apex 
(it has to according to RFC)

c) there are signatures either only for algorithm A or only for algorithm B

The idea is that just adding a new key with algorithm B (the strong) 
without chaining it to the parent zone doesn't add any new security, 
since the chain of trust is secured by the (the weak) algorithm A.

So, yes the RFCs need a clarification and yes the unbound is 
unnecessarily strict since such strict implementation doesn't add any 
additional security (because you don't have a chain of trust leading to 
a key).  Wouter, object now or never :).

Sam, thanks for your persistence :), the "unsupported algorithm" was the 
missing piece I was looking for.

Ondrej

On 18.11.2010 12:37, Samuel Weiler wrote:
> On Thu, 18 Nov 2010, Ond?ej Sur? wrote:
>
>> 1) there is a known cryptographic attack against algorithm A
> ...
>> 7) if the validating resolver is OK with just one or another and not
>> both algorithm signatures, it could be convinced to validate the
>> result just by seeing (spoofed) signatures with algorithm A. So the
>> validating resolver sees spoofed records and it's spoofed signatures
>> using just algoritm A and it validates the result.
>
> This is a different sort of downgrade attack than the one these rules
> were designed to protect against. Indeed, to address this attack within
> the protocol, we'd need to require resolvers to check EVERY algorithm's
> signature (if they can). We didn't do that before, and it's probably
> unwise to make that change now.
>
> The current work-around is for the zone owner to STOP signing with the
> known-broken algorithm A. That leaves code that only supports A out in
> the cold. If you're assuming resolvers support both A and B (as your
> clarification says), there's no problem.
>
>> What do I miss here? I really do think that there is no downgrade
>> attack protection if it's not implemented on both sides (authoritative
>> and validating-recursive).
>
> Indeed, for the attack you're describing, the resolver would need to be
> involved, and it would need to change.
>
> The downgrade attack that led to this is documented in a message to
> namedroppers on 13 August 2003, Subject line "DNSSECbis Q-2: degradation
> attack". With the archives off-line, perhaps I should resend it.

Please do.

Ondrej
-- 
  Ondřej Surý
  vedoucí výzkumu/Head of R&D department
  -------------------------------------------
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury@nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112
  -------------------------------------------

v2.23.0 | Report a Bug | By Email