IETF Logo Mail Archive

Re: [DNSOP] ECDSA woes

Ólafur Guðmundsson <olafur@cloudflare.com> Sun, 16 October 2016 01:15 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3689112940E for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 18:15:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jNGVjKQzsK4c for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 18:15:53 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 629F712940D for <dnsop@ietf.org>; Sat, 15 Oct 2016 18:15:53 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id 4so22647311itv.0 for <dnsop@ietf.org>; Sat, 15 Oct 2016 18:15:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NcX8di2+eC9r1JlvJRwKsHrscGXRVF2Eqt02L+/TKCY=; b=BTo6UWbH1TQzBh9IaXaj6Gv6VslNT1EaFtOi/AVw07fCKuEb8qzlzZzQQs8TeYJdmv zW8GaQrsUfG57f2BdHG2kf+t7hviD+ORN5ONl3d2UHXPPpEPEhpwzZ8yUxO+ou4C5chR sHUqD8j7xM9+6yCFsCk8h1B7sUbNn4tAOCwd0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NcX8di2+eC9r1JlvJRwKsHrscGXRVF2Eqt02L+/TKCY=; b=GcZgHMTIGnHE/Clokb9Ibn/o1hQZMbKBWlpgi6CV/Z7dZXQ2EnpCDPCrWbwCuDP2eH jnG7+64pgbBwjRKiNYkE8NdGOU1G+hVXG0ZtMrfIJu/U32cEMdNo3HsU84r6ztf7Hkrq 3AYOpSYjUI3yq7Dmh6a9z5j8EOTGghpC7hnf4+jTGHJvwkUr4Xn9bav33nG0OIloCpAI 6Pkxj5MBIx8SGFODnYdm2gXNL9V/OyaL/chu4Uuw/KZtS4Q8cqU5CCswCiz3STnrPXq5 i2+jsXNncuujFcRgAhYydIYvkIaZ72Ov3tdS6KVFSeXxUA2j1ZgvPE6vYkd2P7qmGagr gWxg==
X-Gm-Message-State: AA6/9RlznuUQKrVHhZ0IB/Axp3IP/CO72OaWapXaMSmhqlCsFhSxsP/tRNNG+NSNeoW6ZwcgaWNdALVesaUuuq8g
X-Received: by 10.36.65.77 with SMTP id x74mr2048175ita.18.1476580552464; Sat, 15 Oct 2016 18:15:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.132.230 with HTTP; Sat, 15 Oct 2016 18:15:51 -0700 (PDT)
Received: by 10.107.132.230 with HTTP; Sat, 15 Oct 2016 18:15:51 -0700 (PDT)
In-Reply-To: <11BD031F-EDBF-4DF6-A167-0240581EBD0F@apnic.net>
References: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se> <c1e14584-a444-37ef-1e4c-d1077ba4f384@bellis.me.uk> <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se> <0A83A7D9-E7E8-4494-86F9-F19AE96967D7@fl1ger.de> <alpine.DEB.2.02.1610151751210.12036@uplift.swm.pp.se> <11BD031F-EDBF-4DF6-A167-0240581EBD0F@apnic.net>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Sat, 15 Oct 2016 21:15:51 -0400
Message-ID: <CAN6NTqz1Qk57KWFUio0jY36gkMi+HNmMvH4+PpSF-nhux+UXWg@mail.gmail.com>
To: Geoff Huston <gih@apnic.net>
Content-Type: multipart/alternative; boundary="001a11374f244fee9f053ef13319"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Dl5gnjPUwDPBhlmCPrkGVriDQKM>
Cc: dnsop <dnsop@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>
Subject: Re: [DNSOP] ECDSA woes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Oct 2016 01:15:55 -0000

I have domains signed by all combinations of signing algorithms and DS
digests as well as Nsec variants
Ds-n.alg-m-nsec.dnssec-test.org

Replace n with 1..4
M with 1..14
Nsec is one of Nsec nsec3 none

Ólafur

sent from phone

On Oct 15, 2016 17:29, "Geoff Huston" <gih@apnic.net> wrote:

>
> > On 16 Oct. 2016, at 2:53 am, Mikael Abrahamsson <swmike@swm.pp.se>
> wrote:
> >
> > On Sat, 15 Oct 2016, Ralf Weber wrote:
> >
> >> Geoff Houston did some research here some years ago and just did an
> update to his findings. You might want to look at:
> >>      http://www.potaroo.net/ispcol/2016-10/ecdsa-v2.html
> >
> > Do we know how many experiments failed because the resolver erroneously
> reported error for ECDSA signed domains?
> >
> >> From reading Geoffs text, it's not obvious to me that this error case is
> > caught by his tests?
>
> so I have three tests:
>
> A: a validly-signed ECDSA P-256 domain
>
> B: an invalidly-signed ECDSA P-256 domain
>
> C: an unsigned control
>
> now if the resolver does NOT recognise ECDSA we should see a fetch for A,
> B and C  (as they treat both A and B as if they were unsigned)
>
> if the resolver recognises ECDSA we will see a fetch of A and C but not B
>
> and if the resolver incorrectly returns SERVFAIL when it sees ECDSA (which
> I presume is what DNSMASQ 2.71 is doing) then we should see only C and not
> A or B
>
> The report generated uses these definitions to determine if a user is
> passing their queries to ECDSA-aware resolvers
>
> So thats the long answer to yes, this error is caught by these tests, and
> the error is put into the “does not do ECDSA” bucket.
>
> thanks,
>
>    Geoff
>
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email