IETF Logo Mail Archive

[DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC

John Levine <johnl@iecc.com> Sun, 28 July 2024 00:00 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E80C14F605 for <dnsop@ietfa.amsl.com>; Sat, 27 Jul 2024 17:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2c_wjWRLlET for <dnsop@ietfa.amsl.com>; Sat, 27 Jul 2024 17:00:10 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91A81C14F600 for <dnsop@ietf.org>; Sat, 27 Jul 2024 17:00:10 -0700 (PDT)
Received: (qmail 92681 invoked from network); 28 Jul 2024 00:00:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:in-reply-to:references:mime-version:content-type:content-transfer-encoding:subject:user-agent; s=16a0566a58a08.k2407; i=johnl-iecc.com@submit.iecc.com; bh=GnQfOH3h7Xa2hVv79roArjLM9e9eJREX4G/3GmqQu6I=; b=UQvtkNrEJ9MI+UbuvI6ZYXm1LtoyaV3U2wKyALk2Wdx8TGOB+JB+hY2QY78JnoHhhgbgI8zpd9K7tgZImQBLujzz2KLotgLxPbuz/APzQoNnZ9/36LtVK70/T/MvNbAtJjlJOx/o8YBsDpf6TiwgzF2mYXgHsFUWLOvE1rOF+sv/dW55sVgpr4f8AVWbzcqMoSCtqhrgGbLQAHGUv7aS0BIbJQYOySb6m1WZN35RQIfFN/JlIxQh8jfcQLvDpguFmxFc+itUWYbSjKnpU+YaBPHUyrmubpooiZvBOWiyLC3SQL6TcWhKtLW5/V8zpjQHWzl5wGogRG6zsmwfvreL2g==
Received: from [IPV6:2607:fb90:f06e:c48d:e8b6:790f:db9f:5374] ([IPv6:2607:fb90:f06e:c48d:e8b6:790f:db9f:5374]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-128-GCM AEAD, johnl@iecc.com) via TCP6; 28 Jul 2024 00:00:08 -0000
Date: Sat, 27 Jul 2024 19:00:06 -0500
Message-ID: <118eb776-1f8f-4dae-808b-2be09ecbebd9@iecc.com>
From: John Levine <johnl@iecc.com>
To: Shumon Huque <shuque@gmail.com>
In-Reply-To: <CAHPuVdXiNJBnzE+XwCz8bN5jZkhgMSnbcbH7nhZzFwmNQTN7ng@mail.gmail.com>
References: <CAHPuVdUveYraaGtrGveKTiLgP1L19G6g6=bsKsHjsPsP5fkiXg@mail.gmail.com> <727BB4FD-2492-4B18-B4DB-80A1C3DFBCD6@icann.org> <CAHPuVdXiNJBnzE+XwCz8bN5jZkhgMSnbcbH7nhZzFwmNQTN7ng@mail.gmail.com>
X-Referenced-Uid: 34085
Thread-Topic: [DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC
User-Agent: Android
X-Is-Generated-Message-Id: true
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----AAMOW96VGMJHGCZ3Q9IY352MGWM611"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: YJC644ZUU4LFVOB54K4D26Q7E7LCPZUP
X-Message-ID-Hash: YJC644ZUU4LFVOB54K4D26Q7E7LCPZUP
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/54bpLTfxXjmOo9dpju3LM9r9tQg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I am a bad person. My zone uses the new algorithm and I put in two keys with the same tag. Now what? Other than perhaps stopping at two keys rather than three, what is the difference in what resolvers do?

⁣Get BlueMail for Android ​

On Jul 25, 2024, 19:54, at 19:54, Shumon Huque <shuque@gmail.com> wrote:
>On Thu, Jul 25, 2024 at 5:44 PM Paul Hoffman <paul.hoffman@icann.org>
>wrote:
>
>> On Jul 25, 2024, at 17:34, Shumon Huque <shuque@gmail.com> wrote:
>> >
>> > Folks,
>> >
>> > For discussion ...
>> >
>> > Mark Andrews, Elias Heftrig, and I have a new draft on collision
>free
>> key tags in DNSSEC. This topic has been in the air since the Keytrap
>> vulnerability disclosure -- and IETF120 hallway track conversations
>this
>> week prompted us to write up a rough initial proposal for this. Will
>need
>> much more fleshing out of details etc, but we hope this can serve as
>a
>> starting point ...
>> >
>> >    
>https://datatracker.ietf.org/doc/html/draft-huque-dnsop-keytags-00 [
>> datatracker.ietf.org]
>>
>> The problems are listed as:
>>
>> Colliding key tags impose additional work on a validating resolver,
>which
>> then has to check signatures for each of the candidate set of keys
>> identified by the Key Tag. Furthermore, they open up resolvers to
>> computational denial of service attacks by adversaries deploying
>specially
>> crafted zones with many intentionally colliding key tags [KEYTRAP].
>>
>> The main part of the proposed solution is listed as:
>>
>> DNSKEY algorithms MUST have DNSKEY RRsets that do not have colliding
>key
>> tags
>>
>> There is a mismatch here. If the worry is an attacker creating
>colliding
>> key tags to cause more work, that attacker is simply going to ignore
>the
>> MUST requirement.
>>
>
>It's a phased mitigation over time.
>
>The actual proposal is initially only "new" DNSKEY algorithms will have
>the
>no colliding key tags requirement. In which case, yes, the adversary
>will
>just use existing algorithms to deploy their attack. Arguably,
>currently
>deployed defenses that limit the number of colliding key tags already
>deal
>with this. Over time, we could envision requiring this for existing
>algorithms too, or moving everyone to the new algorithms. Anyway, there
>is
>a diverse solution space - we need the community to discuss the various
>possibilities and hopefully converge.
>
>The other goal of course is to make validation more efficient, and
>avoid
>resolvers having to unnecessarily check signatures for keys that they
>don't
>need to.
>
>Shumon.

v2.35.0 | Report a Bug | By Email | System Status