Re: [DNSOP] key lengths for DNSSEC
Richard Lamb <richard.lamb@icann.org> Wed, 02 April 2014 20:49 UTC
Return-Path: <richard.lamb@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B561A03E7 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 13:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZShqgt7ZB4a for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 13:49:03 -0700 (PDT)
Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAB21A03E3 for <dnsop@ietf.org>; Wed, 2 Apr 2014 13:48:59 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Wed, 2 Apr 2014 13:48:55 -0700
From: Richard Lamb <richard.lamb@icann.org>
To: Joe Abley <jabley@hopcount.ca>, Ted Lemon <Ted.Lemon@nominum.com>
Date: Wed, 02 Apr 2014 13:49:07 -0700
Thread-Topic: [DNSOP] key lengths for DNSSEC
Thread-Index: Ac9OgtPHhuC6CPc0SPOYVwgQGOSkgAAIgm4g
Message-ID: <5648A8908CCB564EBF46E2BC904A75B1A3BEE30416@EXVPMBX100-1.exc.icann.org>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com> <16A7DDD8-AB8E-458F-B031-80E5141CAE5A@nominum.com> <195BD466-22EF-4EE6-9E43-D1051502AF36@hopcount.ca>
In-Reply-To: <195BD466-22EF-4EE6-9E43-D1051502AF36@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/G5oZ8TlXNcU5ygtpkN1ZRvlco-A
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] key lengths for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 20:49:10 -0000
Speaking for myself: First: Thank you Jim and Joe for seeking to increase the signal-to-noise ratio on this thread and for explaining what the attack vector would be for lower IQ folk like myself. Second: I have always taken my instructions from the community. So regardless of what I believe I will faithfully do my part (with your help) to make it happen. Third: From my vantage point and as author of the code used for the KSK side of things, I do not see any immediate barriers to increasing key lengths. The members of the original root DNSSEC design team have enjoyed a very good working relationship and I expect that to continue. However, like any other change at this level it must be one that is approached conservatively and thoroughly tested before deployed (software, increased RRSet sizes, IPv6 impact, new ZSK generation). This will take human resources and time. I look forward to following further discussions on this topic. -Rick -----Original Message----- From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of Joe Abley Sent: Wednesday, April 02, 2014 7:50 AM To: Ted Lemon Cc: IETF DNSOP WG Subject: Re: [DNSOP] key lengths for DNSSEC On 2 Apr 2014, at 10:26, Ted Lemon <Ted.Lemon@nominum.com> wrote: > The problem with the way you've phrased this question is that there does not seem to be agreement amongst the parties to this discussion whether old keys matter. If you think they do, you need longer keys. If you think they don't, you need shorter keys. So rather than talking about key lengths first, it would be more productive to come to a consensus about which threat model we are trying to address. I'm trying to understand the time-based attack, but I'm not seeing it. The gist seems to be that if I can turn back the clock on a remote resolver, I can pollute its cache with old signatures (made with an old, presumably compromised key) and the results will appear to clients of the resolver to validate. This sounds plausible, but without administrative compromise of the remote resolver (in which case you have much simpler options) this attack seems to involve: 1. subverting sufficient NTP responses over a long enough period to cause the remote resolver's clock to turn back in time (long period suggested due to many/most? implementations' refuse large steps in times, and hence many smaller steps might be required) 2. replacing every secure response that would normally arrive at the resolver with a new one that will validate properly at whatever the resolver's idea of the time and date is (or, if not every, sufficient that the client population don't see validation failures for non-target queries). This potentially involves having factored or otherwise recovered every ZSK and KSK that might be used to generate a signature in a response to the resolver, for the time period between now and then. This seems like an intractably difficult thing to accomplish. What am I missing? Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] key lengths for DNSSEC Phillip Hallam-Baker
- [DNSOP] key lengths for DNSSEC Jim Reid
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Joe Abley
- [DNSOP] DNSng-ish (was Re: key lengths for DNSSEC) Andrew Sullivan
- Re: [DNSOP] key lengths for DNSSEC đź”’ Roy Arends
- Re: [DNSOP] key lengths for DNSSEC Phil Regnauld
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Christopher Morrow
- Re: [DNSOP] key lengths for DNSSEC Ted Lemon
- Re: [DNSOP] key lengths for DNSSEC Evan Hunt
- Re: [DNSOP] key lengths for DNSSEC Nicholas Weaver
- Re: [DNSOP] key lengths for DNSSEC Frederico A C Neves
- Re: [DNSOP] key lengths for DNSSEC Richard Lamb
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Andrew Sullivan
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] DNSng-ish (was Re: key lengths for DN… Phillip Hallam-Baker
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- Re: [DNSOP] key lengths for DNSSEC Tony Finch
- [DNSOP] Signaling Cryptographic Algorithm Underst… Steve Crocker