IETF Logo Mail Archive

Re: [DNSOP] ECDSA woes

Geoff Huston <gih@apnic.net> Sat, 15 October 2016 21:29 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD3F6129448 for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 14:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.332
X-Spam-Level:
X-Spam-Status: No, score=-107.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRs2cWZfoifk for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 14:29:48 -0700 (PDT)
Received: from nx-mailgw.apnic.net (nx-mailgw.apnic.net [IPv6:2001:dd8:9:801::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEFF712960C for <dnsop@ietf.org>; Sat, 15 Oct 2016 14:23:43 -0700 (PDT)
Received: from iamda3.org.apnic.net (unknown [2001:dd8:9:2::101:249]) by nx-mailgw.apnic.net (Halon) with ESMTPS id 9a0533d5-931d-11e6-a17b-005056b685e3; Sun, 16 Oct 2016 07:23:22 +1000 (AEST)
Received: from dhcp-221-210.meetings.nanog.org (203.119.101.249) by iamda3.org.apnic.net (203.119.111.31) with Microsoft SMTP Server (TLS) id 14.3.123.3; Sun, 16 Oct 2016 07:23:39 +1000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <alpine.DEB.2.02.1610151751210.12036@uplift.swm.pp.se>
Date: Sun, 16 Oct 2016 08:23:35 +1100
Content-Transfer-Encoding: quoted-printable
Message-ID: <11BD031F-EDBF-4DF6-A167-0240581EBD0F@apnic.net>
References: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se> <c1e14584-a444-37ef-1e4c-d1077ba4f384@bellis.me.uk> <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se> <0A83A7D9-E7E8-4494-86F9-F19AE96967D7@fl1ger.de> <alpine.DEB.2.02.1610151751210.12036@uplift.swm.pp.se>
To: Mikael Abrahamsson <swmike@swm.pp.se>
X-Mailer: Apple Mail (2.3226)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AldF8anrxXuD21ftGLnxjoi7o38>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] ECDSA woes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Oct 2016 21:29:50 -0000

> On 16 Oct. 2016, at 2:53 am, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
> 
> On Sat, 15 Oct 2016, Ralf Weber wrote:
> 
>> Geoff Houston did some research here some years ago and just did an update to his findings. You might want to look at:
>> 	http://www.potaroo.net/ispcol/2016-10/ecdsa-v2.html
> 
> Do we know how many experiments failed because the resolver erroneously reported error for ECDSA signed domains?
> 
>> From reading Geoffs text, it's not obvious to me that this error case is 
> caught by his tests?

so I have three tests:

A: a validly-signed ECDSA P-256 domain

B: an invalidly-signed ECDSA P-256 domain

C: an unsigned control

now if the resolver does NOT recognise ECDSA we should see a fetch for A, B and C  (as they treat both A and B as if they were unsigned)

if the resolver recognises ECDSA we will see a fetch of A and C but not B

and if the resolver incorrectly returns SERVFAIL when it sees ECDSA (which I presume is what DNSMASQ 2.71 is doing) then we should see only C and not A or B

The report generated uses these definitions to determine if a user is passing their queries to ECDSA-aware resolvers

So thats the long answer to yes, this error is caught by these tests, and the error is put into the “does not do ECDSA” bucket.

thanks,

   Geoff

v2.23.0 | Report a Bug | By Email