IETF Logo Mail Archive

Re: [dnsext] Clarifying the mandatory algorithm rules

Matthijs Mekking <matthijs@NLnetLabs.nl> Mon, 22 November 2010 08:50 UTC

Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9DEBE3A6A2C for <dnsext@core3.amsl.com>; Mon, 22 Nov 2010 00:50:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FxOO0sYW3gtF for <dnsext@core3.amsl.com>; Mon, 22 Nov 2010 00:50:03 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 0BB4E3A6967 for <dnsext@ietf.org>; Mon, 22 Nov 2010 00:50:02 -0800 (PST)
Received: from [IPv6:2001:7b8:206:1:215:afff:fed2:e121] ([IPv6:2001:7b8:206:1:215:afff:fed2:e121]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id oAM8ouVx045430; Mon, 22 Nov 2010 09:50:56 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Message-ID: <4CEA2F8E.7060104@nlnetlabs.nl>
Date: Mon, 22 Nov 2010 09:53:34 +0100
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: dnsext@ietf.org, Jelte Jansen <jelte@isc.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE53927.9090203@isc.org> <4CE58E90.6030607@nic.cz> <AANLkTin2H7UkP7FVfz3GN74CKtqn2OKo7MmcKMGOkvNY@mail.gmail.com> <4CE59B3D.5020109@nic.cz> <20101119004134.993F26EB749@drugs.dv.isc.org><AANLkTi=Hp6s4xwLQGyWv3BNtvUf5-SDtgUzHbNKtfCV1@mail.gmail.com> <20101119060416.024456F87CD@drugs.dv.isc.org> <4CE629F1.2090907@isc.org> <20101119131627.E8B616F8F8B@drugs.dv.isc.org> <4CE8F5DC.80406@isc.org>
In-Reply-To: <4CE8F5DC.80406@isc.org>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 22 Nov 2010 09:50:56 +0100 (CET)
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 08:50:04 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 11/21/2010 11:35 AM, Jelte Jansen wrote:
> On 11/19/2010 02:16 PM, Mark Andrews wrote:
>>>> If a algorithm is insecure then you should remove it from the list
>>>> of acceptable algorithms in you validator.  That way you get insecure
>>>> not trusted out of the validator.
>>>>
>>>
>>> If you do that, and the zone(s) do 'normal' pre-publish rollover from
>>> that broken algorithm to a not-yet-broken one, you'd get bogus, not
>>> insecure, during the roll
>>>
> 
>> No you don't.  Once a algorithm is marked as invalid the validator
>> behaves exactly as if the validator doesn't know about the algorithm.
> 
>> During the pre-publish period there isn't a trust path into the zone with
>> a supported algorithm.
> 
> 
> no, but during the DS switch there would be, same problem, just a different level.
> 
> If it is the DS set that specifies which algorithms are used, you either have to
> have both algorithms in that set at one point, or have the zone fully signed
> with both algorithms. But if you have both DS's in there, and the zone itself
> signed with only one, it'll be bogus for validators that only support the other
> algorithm.
> 
> But I now notice that the current draft for 4641bis says not to do pre-publish
> rollover when switching algorithms, only double signature, so that's ok :)

Actually, you cannot even do pre-publish algorithm rollover. In order to
introduce the new algorithm at the parent, you need to fully sign your
zone with that algorithm. Effectively, it becomes a double-signature
rollover.

> The part about adding signatures first could probably be removed if 4035 is
> clarified (changed, depending on one's POV ;) ) that it is the DS set and not
> the DNSKEY set that one should check for algorithm support.

You would still need to pre-publish signatures if you want to support
RFC 5011 (because you have no method to delay adding this trust anchor
until the zone is fully signed with the new algorithm).

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJM6i+NAAoJEA8yVCPsQCW5SnEH/j/gAYWS9xf2+zqgdXHMhTrx
LHFYQR5HF9SLxmG2gd6HaZ9WpBPge7gTVcnUhP9A7/VLl0LjZdfC83/XFam/X1wZ
twl4HU6wxwJoVp7xffJKGQkV2by2RUy2Wt+Tz3lY3B0YTGkPC66567Mm/WK/xYT2
bSUTXaePkrFKuo1d6sg+tM9t14lCBLKoWL79p15UteKm7klIfVCeeVZSm35Rbug0
XaeSeA3nmlAEAvj24mk1aNCZqZWEjp5zGHKT185Kzrf7sGtxwId5wHto+6y+T58b
FYEx2f9hBkr6Ww3jMeSNa8DawDx5dUvQKCwwKP8H4//iyg/7SWHb3ksbZ4aHivM=
=xVvl
-----END PGP SIGNATURE-----

v2.37.1 | Report a Bug | By Email | System Status