Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Joe Abley <jabley@hopcount.ca> Tue, 14 January 2014 23:15 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA88B1ADFF3 for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 15:15:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVKL41Wjs4OV for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 15:15:23 -0800 (PST)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4051A1F1F for <dnsop@ietf.org>; Tue, 14 Jan 2014 15:15:23 -0800 (PST)
Received: by mail-qc0-f170.google.com with SMTP id e9so321096qcy.15 for <dnsop@ietf.org>; Tue, 14 Jan 2014 15:15:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lj8X8HomOlTHRmfLcc086A5Gh8U+UEykrTIqNN4yIjc=; b=WobcrquzgyzsvFWvrUWQdK4F4TxveM8hp7RXRrVrrLvaHay4U7W+kHDOi21Ctm6zn+ vjQquOdD7VKxx/GBLTS9mqVEkhYCzz24F5L8PzHoyTgOUldDS1GIFn3x/ZUSiuyp2Sfx 4xprg9yGvXy1tecVbFulmCMI2BDNM9RTORKM4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lj8X8HomOlTHRmfLcc086A5Gh8U+UEykrTIqNN4yIjc=; b=iwUf17iy9oChq/pM6ES5Tvl+pL0wrWneUzuJdPvnLnTzDHsQcli9S4KF3P+GR+QWW2 ik0anKSVd3UulcKeL/0LB5eAG6ynz9WCLmXkmk+jipLXJZDYJlxfnM5hSsSh7pONvuNV tSGZCy95bjnHBzDHo0MZ1gFtOn27Ogh6KbI5PNZ343c82mRdobF/zxGH5Pv1IzbHXZFf 372o8P8TaQCh8rngyYam12VLfLMk9RqZvmY9gqnJmutZKF9wQu/2GBYLsRrka3vXBOZ8 IqVNrqi9WAcVw6/TqOznU6meqObgtUi183a9MlKD1c3+JnDpGhvQB+yWufjWAYJe+gB6 90Aw==
X-Gm-Message-State: ALoCoQldayYGtJqzSSHeJHDuhDb4MNKoJqY/TBOAocw/3wY6reZU9Z3V+6PR7a4JxAxRrnoV63Lq
X-Received: by 10.224.57.148 with SMTP id c20mr7830721qah.59.1389741311544; Tue, 14 Jan 2014 15:15:11 -0800 (PST)
Received: from ?IPv6:2001:4900:1042:1:85c9:f0d9:4f25:1728? ([2001:4900:1042:1:85c9:f0d9:4f25:1728]) by mx.google.com with ESMTPSA id f8sm3050442qab.19.2014.01.14.15.15.10 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 14 Jan 2014 15:15:10 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_78557DDA-E7A3-48FE-962B-D9109F1F7FD8"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAKr6gn0rQa8CeA+5tBYnr2G52-P-qd4V1g=ohQMwgi9osfQYvQ@mail.gmail.com>
Date: Tue, 14 Jan 2014 18:15:08 -0500
Message-Id: <AA79D9D2-7B30-4418-9C9A-268FF54AC23A@hopcount.ca>
References: <20140114172240.GO17198@mx1.yitter.info> <C6EFA413-1FFC-4188-B98A-13C747981FBC@hopcount.ca> <20140114200849.GA17907@mx1.yitter.info> <CAKr6gn0rQa8CeA+5tBYnr2G52-P-qd4V1g=ohQMwgi9osfQYvQ@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
X-Mailer: Apple Mail (2.1827)
Cc: dnsop WG <dnsop@ietf.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 23:15:25 -0000

On 2014-01-14, at 18:04, George Michaelson <ggm@algebras.org> wrote:

> If multiple independent entities sign, can't they elect to use shorter algorithms?
> 
> I know 'short can be spoofed' is out there, but since there are now n * <512> instead of 1 * 2048 is it not theoretically possible that at a cost of more complexity, it can be demonstrated that as long as 1) the sigs are all current 2) all the sig agree then the risk of n 512-bit signings is not necessarily worse than one 2048 or 4096 bit signing, for the specific need we have: proof of correctness. (n is unstated. 512 is a nonce. I have no idea what the sweet spot of keysize and number of keys would be.)

If you sign the DNSKEY RRSet with N KSKs of the same size as the single current KSK, then presumably the expected time for one of them to be factored is N times lower than the expected time to factor a single key, given the same compute resources being available for each key in all cases.

This suggests that if multiple KSKs are used, the keys need to be longer, not shorter, if the same degree of protection is desired.

I'm assuming that what we're talking about is this:

. IN DNSKEY ZSK0
. IN DNSKEY ZSK1
. IN DNSKEY KSK0
. IN DNSKEY KSK1
. IN DNSKEY ...
. IN DNSKEY KSKn
. IN RRSIG DNSKEY KSK0
. IN RRSIG DNSKEY KSK1
. IN RRSIG DNSKEY ...
. IN RRSIG DNSKEY KSKn

(the size of which makes my hair stand on end) and not this:

. IN DNSKEY ZSK0
. IN DNSKEY ZSK1
. IN DNSKEY KSKnew
. IN RRSIG DNSKEY KSK

where KSKnew is some combinatorial function of {KSK0, KSK1, ..., KSKn} since this second approach still requires a single KSKnew to be prepared in a single place in order to generate the RRSIG, which would presumably be a non-goal of de-centralising control of the keys.

> I am not a cryptographer and do not play one on TV

Me neither.


Joe