Re: [DNSOP] [Ext] About key tags
Mark Andrews <marka@isc.org> Tue, 27 February 2024 22:48 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E10C14CE51 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 14:48:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="oE2TnL0d"; dkim=pass (1024-bit key) header.d=isc.org header.b="NDBOWf0x"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgUKDplB8ejn for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 14:48:40 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 810F4C14F714 for <dnsop@ietf.org>; Tue, 27 Feb 2024 14:48:39 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 078D43AB1B9; Tue, 27 Feb 2024 22:48:39 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 078D43AB1B9
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709074119; cv=none; b=UK1446VGJmmUzo7rnxwJnVoWqqZLM0XsduJpChiUdNHZzEdHnQs9e1CNKF50j7clvzxoZeHdLoFJR3GQCNFl5w+6AmSyV3tbKK5TaFNwauFqrRyESsqFATPmoROt1BgezfGg1LVBgSA2mnkRq2ZiNbjqdZNJMcTr3ZgjiKKAcLI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709074119; c=relaxed/relaxed; bh=WMJp8p5jNHrDTifjce/P3ylC+J8cQf7QaWgDd8sCqmM=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=G0ipJdTYu4Fe+DmGw7Q2KQH9jjgXY9TT3t2GfWSWVvdaQDpbErq11HPD4zadv1UX4oa65AKjcNiTJbd08+M5W3X7lY7pUGlooXhur8XE/drdpqvycOhidVGcgPiw4pM4ondYc9+mafdG+Dmq4z/vVcd7s10CEaD4D/N3G0agBlU=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 078D43AB1B9
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1709074119; bh=DGIypxgUx3ZatiAEVRhk7UUD8q2jVCV6HHNARqILMsw=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=oE2TnL0dbxcrI1llI63LpF6jGRdDzLlaIEPrkh/q6htspa2IVkvoAL1g42iBR0qTP T5PaOtkU0tgmoMtYeMLg4YgmYlcRgkKK35pKha3EW87At9MBL+776Oe58+1E/PS5Hw GfPWNSO9bkxk+bRH3G8SXNtMpZq1bd4q0VBbwSok=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 042BC114B65E; Tue, 27 Feb 2024 22:48:39 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id D7D98114B672; Tue, 27 Feb 2024 22:48:38 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org D7D98114B672
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1709074118; bh=WMJp8p5jNHrDTifjce/P3ylC+J8cQf7QaWgDd8sCqmM=; h=Mime-Version:From:Date:Message-Id:To; b=NDBOWf0xs7hCyfTtkxNHft17Hz0dAXVP8IU0gaOnZUI0fMoWwbvJspgLrrFGtm+8B HSmVvlUNNeT3Aq9g3oCphBQFUV644N7bNAYtV3SFaDH9BRu9UsC+cgSsQZIjoqOGLK LoxDSEZ2gEsp+Exbdk6A411TYcGTHhLARMhVi7qo=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id lc5C6tRMIvoF; Tue, 27 Feb 2024 22:48:38 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 4838B114B65E; Tue, 27 Feb 2024 22:48:38 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20240227220905.E06018410007@ary.qy>
Date: Wed, 28 Feb 2024 09:48:25 +1100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <447E01C7-C245-4BA3-88C7-AF847B50047A@isc.org>
References: <20240227220905.E06018410007@ary.qy>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8ysOdRioM_m-dVFQ_4-7lirhjaU>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 22:48:45 -0000
> On 28 Feb 2024, at 09:09, John Levine <johnl@taugh.com> wrote: > > It appears that Mark Andrews <marka@isc.org> said: >> The current “fixes” still leave validators more vulnerable to cpu exhaustion attacks than eliminating colliding key tags in the signer does. This is a protocol bug that leads to >> cpu exhaustion. We, the IETF, have a duty to fix this at the protocol level. > > I'm having trouble understanding how this is fundamentally different > from CNAME loops, or NS sets with silly numbers of NS or A records. > > The kind of load is different but in each case the client needs to > limit the amount of work it's willing to do. We can forbid it in the > protocol but unless you have better contacts at the Protocol Police > than I do, people will do it anyway. If you forbid in the protocol the tools will be fixed to prevent it occurring when signing and the validators don’t have to be prepared to play trial and error when there are duplicate tags in a DNSKEY RRset. It’s trivially easy to create a DNSKEY RRset with duplicate key tags that will validate. It trivially easy to create RRSIGs with a key tag that matches those duplicate key tags that don’t verify. We know that attackers regularly succeed in getting records to be looked up without direct access to the resolver. If you have an open resolver it is even easier. Colliding key tags are a force multiplier when trying to DoS a validating resolver. Mark > R's, > John > > PS: Try looking up 1.2.3.4.contacts.abuse.net. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] About key tags Mark Andrews
- Re: [DNSOP] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Havard Eidnes
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Yorgos Thessalonikefs
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Donald Eastlake
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags and sensible lim… John Levine
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and their infreq… John R Levine
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags and collision nu… John R Levine
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and collision nu… Mark Andrews
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Lanlan Pan
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags Dave Lawrence
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček