[DNSOP] Re: New draft on collision free key tags in DNSSEC

Petr Špaček <pspacek@isc.org> Wed, 31 July 2024 14:57 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70C0C169402 for <dnsop@ietfa.amsl.com>; Wed, 31 Jul 2024 07:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="h3aRpGm1"; dkim=pass (1024-bit key) header.d=isc.org header.b="LGeBBP42"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xeyaB80wK3My for <dnsop@ietfa.amsl.com>; Wed, 31 Jul 2024 07:57:33 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02711C19ECB8 for <dnsop@ietf.org>; Wed, 31 Jul 2024 07:57:32 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 8616C3AB276; Wed, 31 Jul 2024 14:57:32 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 8616C3AB276
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722437852; cv=none; b=eyvtlnsHgyWZLmNO+xMgQ+nvEn8Hg26r80w+nN/HQcYGlqowjhIQ1oDl3exIihbUH6n0WK3wnWS32gkcCZIQXLZHsjUvOXmr6F5/ab1AgU8fAg9qObkYrAKMzDSOiAH8TsR7+XnrLAdKKHvkB99t3sNpzVzmHTGTVR3w9fowy6o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722437852; c=relaxed/relaxed; bh=xCjLmSup1cuBHTXQnI5HQ/qGqRGpfoYklm9y/PIH38U=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=exZYoPRSDVXOor3WyVKKUfc2222ot/TjOJu6lKOjepFObcPs0tvoSF/kU+B4wBpFg3lF3sLR2rNc+UzQwdlsrPiDaczpco/tbIVXTXsqzRS7OXtqIkDR3nsDDaYsUiVtYpzl5JSwvQgo9rNK+xJV7vgVCnUvaT7JcQzXG2Gwie8=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 8616C3AB276
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1722437852; bh=xCjLmSup1cuBHTXQnI5HQ/qGqRGpfoYklm9y/PIH38U=; h=Date:Subject:To:References:From:In-Reply-To; b=h3aRpGm1Gv/NtGHyjhVSSSQoABsEtGc0jkEEvPexEhExCKPSOhA5mC0hoYH+bT3c2 bMKCo5Rj9ugIE3FD7jX/R62QQhByUe6znKZ1Exfrfw85zpMaA6VTFodq60bsCZq1HY BGA5AzB1s0vR7NllhX8ZMMDY1JObtNjJE0n7nxxM=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 8170C114D25F; Wed, 31 Jul 2024 14:57:32 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 5EAB1114D277; Wed, 31 Jul 2024 14:57:32 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 5EAB1114D277
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1722437852; bh=xCjLmSup1cuBHTXQnI5HQ/qGqRGpfoYklm9y/PIH38U=; h=Message-ID:Date:MIME-Version:To:From; b=LGeBBP42px5/qCIKzf++jmJwROTUv7X5FmA6JqGsiH563nzJbQNO7VZ/OACUcQYrA ZU1D+d2KWaR3UfGk/H1vZEuGSTHuaidfKwjt2B8n4LSmqU8HolNQHiDKFdJhp9KT0k g/RabOLvcfhI5wcXfONDml5vntRmi/8BJ90HwOss=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id 1Z0-LHJct0Wj; Wed, 31 Jul 2024 14:57:32 +0000 (UTC)
Received: from [192.168.0.131] (94-143-239-125.chrudim.cz [94.143.239.125]) by zimbrang.isc.org (Postfix) with ESMTPSA id D111A114D25F; Wed, 31 Jul 2024 14:57:31 +0000 (UTC)
Message-ID: <a45b9526-3d08-496e-9090-44fa2fa15017@isc.org>
Date: Wed, 31 Jul 2024 16:57:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>, dnsop@ietf.org
References: <CAHPuVdUveYraaGtrGveKTiLgP1L19G6g6=bsKsHjsPsP5fkiXg@mail.gmail.com> <774ab370-5d66-4c0d-b0a4-6d9e9cec2549@nic.cz> <db4ce7d8-4956-4c59-b396-c564f513f19b@isc.org> <6ccae7f0-bc35-4f5c-9b73-84b0157c2be3@nic.cz>
From: Petr Špaček <pspacek@isc.org>
Content-Language: en-US
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmWT+REFCQelsxMACgkQq9WHzfBlga7y 2Q//Ug58UI9mlnD/guf9mHqpJIMrBs/vX8HlzylsDcZUBTp2TJpzNh/CygPWrHY+IvA9I9+t Ygp0sB+Z9OtVZgW3bpWJ0iWe6N89Q0kwOuhJ75LsfR1V73L5C826M6bLQjYTj6HiwS9Nf+N0 jADhEV/p1KtCuZfwBkYJ4ZM+Na0zWerGPkGw9T9O0gfs0ePehzJ5V0OK0nCqMuC1h8o/rhCb vRCmxdAbNjrOrgKa7HN5DadP/tKstJMM09aXlT5q96fRIyCQyqXQoCrijCWvgAxgjABdh1TB /XsYvBC8+4wy5ZBtTcnxXGrMhrSxU2/vIK6RjDju7OIRClMNepEzvt0gNzxwwxIXVOzl5ioC i/Okovk1rZneFFxbVvaMyIJgY/hShJV7Ei+5S9UZUv6UUmRQ6zukeiSVZrtXs6fWLVlUnBDl Cv/fXi25hrymqNfPSBSB0tyc6YepR1Rq9omTni6DYmEHQuhPMHJ2fuiNNyBaH+9EI7go5e0J LvXVLJGXkMdTcmYHja1pDjmQ1K71gewfPWGFmn0JTa92GuZJaR/4MVePvoV0NTpCP0HiKIg5 0+AOdpvkJReFKTQOX08SwkUkgvy9h9WjBMpD5ymMs4gjJwXtcT1+aVtj9Xcw6tQde9Yyjxde a6UZ3TUfys8qZ8ZKmMKTaCUFukKzWDJMZ91V1b/OwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC ZZP5UgUJB6WzVAAKCRCr1YfN8GWBrgxpD/949Tz7EtrE9e2yJ4np+y7uW8EDusVM3QsBdkYk yaQTupITew8WWQtNF/QK/MKRi+e/382t78nBq+T7G9PrRi7E4WS9dXdgJiFz25h3mC4TABJZ b6MLcEreLWTaqnR/D6F3AnNXh7GJFY4E6PAwC60W0R9G6R0E+2XeZX011NEGiBMvgZnqzzjU L9h8Gz7a/EsQync4cvLbruPt/UaOV0khKTefsOFj3q3wLY6qN2qw7HfgFRBCh6ME2XRvnwAd iv0pF4HRbXoFalkAsNEYkWQ6mkJjdYCHOWm3TWqXhalgGKqIOrQyMpH2mJpZllKBQiBiQMUz qz0cO9OqBk3xvNLplI3VNcC0WeQ8LEqyYKth2T78hVaIw8K0IcVmZQwXVxL03gojaJ5bK2O+ 2FfqKMcIiU+bqaTXntx+FYRQKblsUBYD77uU9sPVyKWIiHvukLTx7GY1ttn6gZDSIek/tTR7 oaei+xLh5JUgZpMZ4JHnirDWHbrJzYN95e8HWA/+qAOTsa+igZGsc6yA1oJIAnCwkclcLAgc x3GVVeEL+/b9CugZ+1OfbxlRK7gAeu0kyKiEXrUvCQPnPByIIfj4I4IvZO4552cmmnbn31f9 X/9nw+M4qAqOK7bRg65ucv71TayUehNJrfJSYx6P1tXIwzu19tIgtdWTcsszNWALfaUFtg==
In-Reply-To: <6ccae7f0-bc35-4f5c-9b73-84b0157c2be3@nic.cz>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2BQJ5LIUYCLGFIYLV4G2XEEDZJJNJDYT
X-Message-ID-Hash: 2BQJ5LIUYCLGFIYLV4G2XEEDZJJNJDYT
X-MailFrom: pspacek@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ks3vUkiRAEYLdIvWUnfvXCm5Psc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 31. 07. 24 15:56, Vladimír Čunát wrote:
> On 31/07/2024 15.29, Petr Špaček wrote:
>> Per-zone limit does not defend against resource exhaustion because an 
>> attacker can construct chain of delegations a.b.c.d.e...... and max 
>> out limit on each level. Then you instantly get about 126*(per-zone 
>> limit on validations) just for this particular attack vector. 
> 
> That's part of why I think the implementations need a different approach 
> (than this RFC, too).  Attackers can combine.  Do these long delegation 
> chains, and jump through several of them by CNAMEs, and put max. number 
> of RRSIGs everywhere in a way that many fail, etc.

Indeed that's exactly what I did when we were testing our KeyTrap fixes 
for BIND!

-- 
Petr Špaček
Internet Systems Consortium