Re: [DNSOP] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1

Viktor Dukhovni <> Wed, 08 January 2020 17:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7776812008A for <>; Wed, 8 Jan 2020 09:29:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wYUCdGwj2-4h for <>; Wed, 8 Jan 2020 09:29:18 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0D1A0120052 for <>; Wed, 8 Jan 2020 09:29:18 -0800 (PST)
Received: by (Postfix, from userid 1001) id 64D392B0302; Wed, 8 Jan 2020 12:29:16 -0500 (EST)
Date: Wed, 8 Jan 2020 12:29:16 -0500
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.12.2 (2019-09-21)
Archived-At: <>
Subject: Re: [DNSOP] SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2020 17:29:19 -0000

On Wed, Jan 08, 2020 at 08:50:05AM -0800, Ólafur Guðmundsson wrote:

> Due to the structure of DNS records this is hard to pull off,

Yes, at present.

> The only RR types that are suspect are the ones that can have 1440 of
> "garbage" at the end

Yes, at present, but the attacks may continue to improve, perhaps
requiring fewer attacker supplied blocks to reach a collision.

> DS has fixed size so I it can not be used unless someone figures out how
> select blocks that include valid DNS record envelopes.

Yes, while the block count to go from a chosen prefix to a collision is
substantially more than 2.

> TXT will work if the attacker can encode lengths of the individual strings
> into a valid record ==> but who cares about TXT abuse

This is not correct, because with chosen-prefix attacks the two messages
that collide need not share the same owner and type (that's the whole
point of chosen-prefix, the initial segment of the second message can be
freely chosen by the attacker).  Therefore the TXT record can have the
same signature as some more important record, perhaps a fake DNSKEY
RRset for the zone apex!

> DNSKEY is with RSA is good candidate for this attack as any DNSKEY RRset
> for SHA1 algorithms can be attacked by adding a key that sorts to be last
> and is larger than 1440 bits.

But the real DNSKEY RRset is not attacker controlled, whoever creates
the zone's DNSKEY RRs can already subvert the zone content in whatever
way they see fit.  Legitimate signatures of DNSKEYs are not at risk.

> Thus anyone that is using RSA algorithm < 8 should think about key or
> algorithm rollover

Yes, on this we can agree, even though the risk is lower for "leaf"
zones that only sign their own content.