IETF Logo Mail Archive

Re: [DNSOP] key lengths for DNSSEC

Richard Lamb <richard.lamb@icann.org> Wed, 02 April 2014 20:49 UTC

Return-Path: <richard.lamb@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B561A03E7 for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 13:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZShqgt7ZB4a for <dnsop@ietfa.amsl.com>; Wed, 2 Apr 2014 13:49:03 -0700 (PDT)
Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAB21A03E3 for <dnsop@ietf.org>; Wed, 2 Apr 2014 13:48:59 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Wed, 2 Apr 2014 13:48:55 -0700
From: Richard Lamb <richard.lamb@icann.org>
To: Joe Abley <jabley@hopcount.ca>, Ted Lemon <Ted.Lemon@nominum.com>
Date: Wed, 02 Apr 2014 13:49:07 -0700
Thread-Topic: [DNSOP] key lengths for DNSSEC
Thread-Index: Ac9OgtPHhuC6CPc0SPOYVwgQGOSkgAAIgm4g
Message-ID: <5648A8908CCB564EBF46E2BC904A75B1A3BEE30416@EXVPMBX100-1.exc.icann.org>
References: <78F386B0-BC6B-4159-B9D4-4BFEB10252A6@rfc1035.com> <16A7DDD8-AB8E-458F-B031-80E5141CAE5A@nominum.com> <195BD466-22EF-4EE6-9E43-D1051502AF36@hopcount.ca>
In-Reply-To: <195BD466-22EF-4EE6-9E43-D1051502AF36@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/G5oZ8TlXNcU5ygtpkN1ZRvlco-A
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] key lengths for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 20:49:10 -0000

Speaking for myself:

First:  Thank you Jim and Joe for seeking to increase the signal-to-noise ratio on this thread and for explaining what the attack vector would be for lower IQ folk like myself.

Second: I have always taken my instructions from the community. So regardless of what I believe I will faithfully do my part (with your help) to make it happen.

Third: From my vantage point and as author of the code used for the KSK side of things, I do not see any immediate barriers  to increasing key lengths.  The members of the original root DNSSEC design team have enjoyed a very good working relationship and I expect that to continue.  However, like any other change at this level it must be one that is approached conservatively and thoroughly tested before deployed (software, increased RRSet sizes, IPv6 impact, new ZSK generation).  This will take human resources and time.

I look forward to following further discussions on this topic.

-Rick



-----Original Message-----
From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of Joe Abley
Sent: Wednesday, April 02, 2014 7:50 AM
To: Ted Lemon
Cc: IETF DNSOP WG
Subject: Re: [DNSOP] key lengths for DNSSEC


On 2 Apr 2014, at 10:26, Ted Lemon <Ted.Lemon@nominum.com> wrote:

> The problem with the way you've phrased this question is that there does not seem to be agreement amongst the parties to this discussion whether old keys matter.   If you think they do, you need longer keys.   If you think they don't, you need shorter keys.   So rather than talking about key lengths first, it would be more productive to come to a consensus about which threat model we are trying to address.

I'm trying to understand the time-based attack, but I'm not seeing it.

The gist seems to be that if I can turn back the clock on a remote resolver, I can pollute its cache with old signatures (made with an old, presumably compromised key) and the results will appear to clients of the resolver to validate.

This sounds plausible, but without administrative compromise of the remote resolver (in which case you have much simpler options) this attack seems to involve:

1. subverting sufficient NTP responses over a long enough period to cause the remote resolver's clock to turn back in time (long period suggested due to many/most? implementations' refuse large steps in times, and hence many smaller steps might be required)

2. replacing every secure response that would normally arrive at the resolver with a new one that will validate properly at whatever the resolver's idea of the time and date is (or, if not every, sufficient that the client population don't see validation failures for non-target queries). This potentially involves having factored or otherwise recovered every ZSK and KSK that might be used to generate a signature in a response to the resolver, for the time period between now and then.

This seems like an intractably difficult thing to accomplish.

What am I missing?


Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email