Re: [dnsext] Clarifying the mandatory algorithm rules
Ondřej Surý <ondrej.sury@nic.cz> Thu, 18 November 2010 11:31 UTC
Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AAD23A6824 for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 03:31:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqC8DauepxaY for <dnsext@core3.amsl.com>; Thu, 18 Nov 2010 03:31:37 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by core3.amsl.com (Postfix) with ESMTP id 3D4663A681D for <dnsext@ietf.org>; Thu, 18 Nov 2010 03:31:35 -0800 (PST)
Received: from [IPv6:2001:67c:64:42:221:6aff:fe5b:b80] (unknown [IPv6:2001:67c:64:42:221:6aff:fe5b:b80]) by mail.nic.cz (Postfix) with ESMTPSA id 00F68734355 for <dnsext@ietf.org>; Thu, 18 Nov 2010 12:32:21 +0100 (CET)
Message-ID: <4CE50EC4.6000401@nic.cz>
Date: Thu, 18 Nov 2010 12:32:20 +0100
From: Ondřej Surý <ondrej.sury@nic.cz>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: dnsext@ietf.org
References: <alpine.BSF.2.00.1011180553250.83352@fledge.watson.org> <4CE50C01.4010104@nic.cz>
In-Reply-To: <4CE50C01.4010104@nic.cz>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [dnsext] Clarifying the mandatory algorithm rules
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 11:31:38 -0000
Based on off-list discussion with Sam, I should add that both algorithm A and algorithm B in my example are supported by the validating resolver. Ondrej On 18.11.2010 12:20, Ondřej Surý wrote: > Hi Sam, > > I actually gave it some thought yesterday and there is one thing I still > don't understand. If the case is indeed to protect against downgrade > attack then if the resolver doesn't implement same strictness as zone > operators then there is in fact no protection at all against downgrade > attack. > > Maybe it's a right time to clarify what the downgrade attack is. My > understanding is that: > > 1) there is a known cryptographic attack against algorithm A > > 2) there is a algorithm B which is safe to use > > 3) the zone operator publish zone with algorithm A and B in the apex > > 4) the zone is signed by both algorithm A and B (Note: when I say signed > by algorithm I mean signed by key or chain of keys (KSK+ZSK) using that > particular algorithm) > > 5) an attacker computes the signature for his spoofed records using > algoritm A > > 6) an attacker injects his spoofed RRs together with computed sigs to a > validating resolver > > 7) if the validating resolver is OK with just one or another and not > both algorithm signatures, it could be convinced to validate the result > just by seeing (spoofed) signatures with algorithm A. So the validating > resolver sees spoofed records and it's spoofed signatures using just > algoritm A and it validates the result. > > > What do I miss here? I really do think that there is no downgrade attack > protection if it's not implemented on both sides (authoritative and > validating-recursive). > > Ondrej. > > On 18.11.2010 12:02, Samuel Weiler wrote: >> Recently CZNIC reported on some algorithm rollover problems they >> encountered when they didn't follow the "mandatory algorithm rules" in >> the "Zone Signing" section of RFC4035. These rules create a method to >> signal to resolvers what algorithms are in use in a zone. As historical >> perspective, these rules were written in order to avoid the dilemma of >> opening resolvers to a downgrade attack or discouraging the use of new >> algorithms. >> >> CZNIC published a DNSKEY for a "new" algorithm without simultaneously >> publishing the corresponding RRSIGs. Unbound started rejecting answers >> from .cz because the zone didn't also include the new RRSIGs, even >> though Unbound fully supported the old algorithm and the RRSIGs for that >> old algorithm were present in the zone. >> >> These rules are indeed for zone operators and/or signers and do not need >> to be enforced by a validator. While I haven't worked through the >> validation sections of 4035 closely, I think Unbound is violating the >> RFC by checking for this. (It would fine for Unbound to disable support >> for the "old" algorithm entirely, in which case the answers should >> indeed be rejected, but that isn't what happened here.) In contrast, >> BIND found the signatures from the "old" algorithm sufficient. >> >> >> I've heard folks from CZNIC advocating adding some clarifications to >> 4641bis and other operational documents reminding zone operators of >> these rules, perhaps in better language. I generally support that. >> >> I've also been encouraged to add an explanation of this to >> dnssec-bis-updates. Since validator implementers did different things, I >> agree that clarification is in order. >> >> The most general thing we could say is "Pay attention to the section >> headings in RFC4035. Note that Section 2 ("Zone Signing") provides >> guidance to zone signers, not resolvers. Resolvers should pay careful >> attention to Sections 4 and 5 ("Resolving" and "Authenticating DNS >> Responses") and do not need to separately check for compliance with >> every item in Section 2. In particular the "mandatory algorithm rules" >> in the last paragraph of section 2.2 do not need to be enforced by a >> resolver. Note that this document makes some minor changes to the >> validation rules in RFC4035, including the rules for handling DS records >> with unknown message digest algorithms." >> >> I'm not sure if the generalization (that validators can ignore section >> 2) is 100% correct. Is it? >> >> >> Alternatively, we could say something specific: >> >> "The last paragraph of RFC4035 Section 2.2 includes rules for which >> algorithms must be used to sign a zone. Since these rules have been >> confusing, we restate them in different language here: >> >> Every algorithm present in a zone's DS RRset (if any) must also be >> present in its DNSKEY RRset. Every algorithm present in the DNSKEY RRset >> must be used to sign every RRset in the zone, including the DNSKEY RRset >> itself. If more than one key of the same algorithm is in the DNSKEY >> RRset, it is sufficient to sign each RRset with any subset of these >> DNSKEYs. It is acceptable to sign some RRsets with one subset of keys >> (or key) and other RRsets with a different subset, so long as at least >> one DNSKEY of each ALGORITHM is used to sign each RRset. Likewise, if >> there are DS records for multiple keys of the same algorithm, any subset >> of those may appear in the DNSKEY RRset. >> >> Furthermore, note that these rules are for zone operators and zone >> operators, as might be inferred from the Section 2 heading: "Zone >> Signing". These rules do not need to be separately enforced by >> validating resolvers." >> >> >> Does the WG have a preference for which version of this to add to >> dnssec-bis-updates? By default, I propose to add the specific one. If >> someone else has walked through RFC4035 Sections 4 and 5 carefully, >> perhaps we could use the general one. I also welcome other restatements >> of the rules: I wrote the original ones which have been confusing, and >> having someone else rewrite them might make more sense. >> >> -- Sam Weiler >> >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsext > > -- Ondřej Surý vedoucí výzkumu/Head of R&D department ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
- Re: [dnsext] Clarifying the mandatory algorithm r… Jeffrey A. Williams
- Re: [dnsext] Clarifying the mandatory algorithm r… Jeffrey A. Williams
- Re: [dnsext] Clarifying the mandatory algorithm r… Jeffrey A. Williams
- [dnsext] Clarifying the mandatory algorithm rules Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Phillip Hallam-Baker
- Re: [dnsext] Clarifying the mandatory algorithm r… Florian Weimer
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… George Barwood
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… Doug Barton
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Jelte Jansen
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Ondřej Surý
- Re: [dnsext] Clarifying the mandatory algorithm r… Paul Vixie
- Re: [dnsext] Clarifying the mandatory algorithm r… W.C.A. Wijngaards
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Phillip Hallam-Baker
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Olafur Gudmundsson
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Alfred Hönes
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Brian Dickson
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- Re: [dnsext] Clarifying the mandatory algorithm r… Mark Andrews
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Casey Deccio
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Casey Deccio
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Casey Deccio
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Matthijs Mekking
- Re: [dnsext] Clarifying the mandatory algorithm r… Edward Lewis
- Re: [dnsext] Clarifying the mandatory algorithm r… Samuel Weiler
- [dnsext] MAR proposal #1: Algorithm downgrade pro… Samuel Weiler
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Samuel Weiler
- [dnsext] MAR proposal #2: Allowing pre-publishing… Samuel Weiler
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Edward Lewis
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Edward Lewis
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Mark Andrews
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Paul Hoffman
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Paul Hoffman
- Re: [dnsext] MAR proposal #1: Algorithm downgrade… Brian Dickson
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Marc Lampo
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Matthijs Mekking
- Re: [dnsext] MAR proposal #2: Allowing pre-publis… Joe Abley
- Re: [dnsext] Clarifying the mandatory algorithm r… weiler