IETF Logo Mail Archive

Re: [dnsext] MAR proposal #1: Algorithm downgrade protection

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 02 April 2011 06:35 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 319E53A6A48 for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 23:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.549
X-Spam-Level:
X-Spam-Status: No, score=-102.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntOaDLBldIkV for <dnsext@core3.amsl.com>; Fri, 1 Apr 2011 23:35:47 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id B42003A6A43 for <dnsext@ietf.org>; Fri, 1 Apr 2011 23:35:46 -0700 (PDT)
Received: from [10.0.5.10] ([212.47.23.197]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p326bNig081175 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dnsext@ietf.org>; Fri, 1 Apr 2011 23:37:25 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1084)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <alpine.BSF.2.00.1104011022030.92106@fledge.watson.org>
Date: Sat, 02 Apr 2011 08:37:22 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <AC57406A-DA8C-4EF4-9E53-117F209D8668@vpnc.org>
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE51293.5040605@nlnetlabs.nl> <a06240801c9101620d463@192.168.128.163> <22284.1290447209@nsa.vix.com> <4CF4D54B.5000407@nlnetlabs.nl> <20110310223438.978E9C0E902@drugs.dv.isc.org> <4D79DDFA.3010006@nlnetlabs.nl> <alpine.BSF.2.00.1103140901170.99213@fledge.watson.org> <20110314213319.A2799C8CA0B@drugs.dv.isc.org> <alpine.BSF.2.00.1103141750530.74870@fledge.watson.org> <a06240800c9a50cf4632a@10.31.200.110> <AANLkTimUUa5zkr+hZH4jR-euENg_n=9EwtRVBN-cxr9_@mail.gmail.com> <a06240802c9a7b6cb4cc3@192.168.1.105> <AANLkTin+hMZ-27VjkQq7_44zNguMiefhxbgGD+-XZxPP@mail.gmail.com> <a06240802c9a7e0807069@10.31.200.117> <AANLkTi=4co5mS3RYhK1BvUMOm54wgNAMeKtk3_Zm0ff1@mail.gmail.com> <a06240802c9a93d762e13@[10.31.200.112]> <a06240803c9a9417e1fe8@[10.31.200.112]> <4D938CC3.1020103@nlnetlabs.nl> <a06240800c9ba6184d535@[10.31.200.112]> <4D94DF2B.1040407@nlnetlabs.nl> <a06240800c9bb6f86edae@[10.31.200.112]> <alpine.BSF.2.00.110401! 1022030.92106@fledge.watson.org>
To: DNSEXT Working Group <dnsext@ietf.org>
X-Mailer: Apple Mail (2.1084)
Subject: Re: [dnsext] MAR proposal #1: Algorithm downgrade protection
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Apr 2011 06:35:48 -0000

On Apr 1, 2011, at 4:24 PM, Samuel Weiler wrote:

> This is a proposed change in DNSSECbis that arguably changes the mandatory algorithm rules.  I'm posting this as a summary of what I understand some may support, I don't support this change myself. Please post in this thread with your support or lack thereof.
> 
> 
> In order to provide some protection against algorithm downgrade[1], we're defining a mechanism for zone signers to signal to validators that a SET of algorithms should ALL be checked, when possible, before determining that an answer from the zone is Secure.  Specifically, we're overloading the DS RRset to do that signalling.
> 
> Validators SHOULD check signatures from all algorithms present in a zone's DS RRset or trust anchors before declaring an answer from the zone to be Secure.  If it is impossible to validate an answer with one or more of those algorithms, the answer SHOULD be treated as Bogus.
> 
> This is a subset of the checks unbound was performing that let to the discovery of the problems with .cz's algorithm roll process.
> 
> Please post in this thread with your support or objections.

I do not support this change. It makes DNSSEC validation both more mushy and more brittle by having zones "signal" to relying parties what the zone wants the relying parties to do. It is more mushy because a clearer statement can be made: just sign with the algorithms you want. It makes it more brittle because now there are more ways to make a zone accidentally go bogus.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email