IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags and collision numbers

John R Levine <johnl@taugh.com> Wed, 28 February 2024 22:23 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8D3EC14F60A for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 14:23:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="FylZLrnv"; dkim=pass (2048-bit key) header.d=taugh.com header.b="lPffaUM5"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIe5UblaNEWC for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 14:23:14 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3032C14F604 for <dnsop@ietf.org>; Wed, 28 Feb 2024 14:23:13 -0800 (PST)
Received: (qmail 42753 invoked from network); 28 Feb 2024 22:23:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=a6ff65dfb250.k2402; bh=IIAQAN7MqF2mbmkWRuDfmswezNJ0jEbNDYLQyBcf4Ds=; b=FylZLrnv3oPOUV5x4Hdfq8dUOQisWmz4/uC7vOxS3BHOsxs7BZhuzhE7Fd3xKkkakb+E77YWgqQ3ON0Q8B7nUyG0cEYt5m5JX7LLuRVp/5Fy4sCy73hWluuyNrkv5mIpcjSTGD4JObT80wEyW7xwfWak3c8NQ723Pylyu22QiONV7uTdOrg4x9K4e4JU/zCyZGR7uz2mdBdhYOO/OnUmE7v42g5P5Hed4WDrsji/wWOOcioufmViKM2SYUJ4iM50BJJz66EmTlQYXbnxejlvvj1qIKOrPwnHUa7PZNu+T6JtYVElEoB00lpuzYn28yxwqE9ZdgJfPoK6LMkTZ3PXOw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=a6ff65dfb250.k2402; bh=IIAQAN7MqF2mbmkWRuDfmswezNJ0jEbNDYLQyBcf4Ds=; b=lPffaUM5+GhOUjdK3l+4JOdtrZ9R6+7s6mie5YvNhBTIiK/swBRD1N6tZ7Gq9cfeXcgnBRYlYEpu694UCa/ZffDBnSbgNMuTXzDZRX7pO/zJSLZIKksaToKaCI3c2cehvUzDg3rRNUGTIoV2tWWC9qMtvliAir6GSmm+W57DridbI2AFHrYnhG2UF+CSqTHW7/lW6zxzoCG2RDLawAsEacSJn258r4L2OWzOu/wFNF7pIuEDXp/TCpTk+hDnNers9WmiBiUpDBuCRqLjwYJKXA1+VF2u5s0JriyNNGqJQY92Vc24D2fxU/8zOTXoZcVtzElWRwfionFPwI0BS/VdVQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 28 Feb 2024 22:23:12 -0000
Received: by ary.qy (Postfix, from userid 501) id 0518A841E51C; Wed, 28 Feb 2024 17:23:11 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id B8AC8841E4FE; Wed, 28 Feb 2024 17:23:11 -0500 (EST)
Date: Wed, 28 Feb 2024 17:23:11 -0500
Message-ID: <ac974641-5aae-381d-2a5a-e3676bdd8f4a@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Shumon Huque <shuque@gmail.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
References: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org> <20240227220905.E06018410007@ary.qy> <641C2E38-F1A8-435B-BA6F-770FEE9AEEA5@icann.org> <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LZ0HNbIice6S7gnv-eZ32dXN3Zo>
Subject: Re: [DNSOP] [Ext] About key tags and collision numbers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 22:23:18 -0000

On Wed, 28 Feb 2024, Shumon Huque wrote:
> Banning keytag collisions outright today would not be a good idea - we risk
> rendering some sights unresolvable through no fault of their own. DNSSEC
> already has plenty of detractors, and we don't want to give them more
> ammunition by creating problems in the ecosystem that can be easily
> avoided. I think writing a BCP telling folks how to avoid collisions would
> make sense though (and yes, it needs to cover the multi-signer case too).

The multisigner case is a database update problem which is surprisingly 
hard to get right.  Either you need locked updates which are slow and 
subject to hanging, or you need to detect collisions and retry, which has 
its own problems (BTDT).

If we can live with small numbers of collisions, the whole problem is a 
lot more tractable.

Too bad there's no room for grease in DNSKEYs.  If you were allowed to add 
a byte or two of noise, you could constrain the range of the key IDs you 
generated, which would let you partition the ID space among multiple 
signers. That would be (other than the grease kludge) an elegant way out.

R's,
John

v2.23.0 | Report a Bug | By Email