IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Shumon Huque <shuque@gmail.com> Wed, 28 February 2024 21:22 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01464C14F708 for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 13:22:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akvB3Mjn4wib for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 13:22:17 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CA4AC14F60D for <dnsop@ietf.org>; Wed, 28 Feb 2024 13:22:17 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id ca18e2360f4ac-7c78573f31aso7842539f.3 for <dnsop@ietf.org>; Wed, 28 Feb 2024 13:22:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709155336; x=1709760136; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=I/B8KhbkXFR6eoG3S03ny8cRi5yWUupch0PXGU43MKc=; b=K9xNZ4cgetfoxCMbM4TkzYpj5oS89yldvMrQkSq45VrlUBWMwaE+LIkRnG/nlhhQvG whjsln2I9kaJQNnkviLxLoiDM/M2tRe99mqaGo5t421BDKsyJZNITACDVkyPKPPh6dyr 4HHEJ0Iu1WUqijAo3/mCjkC12rWhKoJeSINXMPuas5kraZ7tTShAmnSUJ6QM7lK2Z6FL PEeGbGWifO6tW4C2qvBoiMQsJrIyzpjv31/xwLQ3g+NUxQzcJusNsGUTewh2I3CK+uQb N8NkX44LazAru+XC6L2jLC8VUAEIw0i5szyn2vEbdHC6UONZeKxgpAN5IwdkPtyvTyja RzLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709155336; x=1709760136; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I/B8KhbkXFR6eoG3S03ny8cRi5yWUupch0PXGU43MKc=; b=nY2To/1S0tg0J7Zd6Yt5M04tepAQpximwaXDR71T+G4oHv6vIKCeolDsgjJnqILUj4 L6fnQvwjxAu/L8bHj9JGX1R28ZJ0et76s5iXE3Uqo2GAdHH+8tp9gCoG9oKyNUs6Qg7I tmMk8Hglm+lnD47eQLnJ7bMUV+hfmssV+h3o2+pQFyoAhCOV9zXyLkpOJj5SJ90IWg/r b4joJFfhFIJywvRJyx/okI4FF4KSuxXGuTJcr+0GQORIhQReUo5vaoVP/6XQwbVUF0sZ YGP4dlx1suJ4JgWrZnYyXCOWOXAIkqU5NrNcmOV3yAxQ4JbVotcU8Fv2mTss4nd45Fxj AirQ==
X-Forwarded-Encrypted: i=1; AJvYcCXvjY9XwVHKs0a/aBYPN1r+pvoXSEHvrXbVjebwIuh3pqqWXQ76fYpnlUNcFlq3aorpiqDMyJtLxaUwXhHGvA==
X-Gm-Message-State: AOJu0YxtaRX/rDjz2phnluSsJLxH8ZYGBZ8aJb/fvjinsEDk2wuH01xT u/1PEM51n5D4P/O5C7H2fMX27OVhphghHnzpXKuYrOPrKgdDclz2+ZyOL8/1u1n3BisSCbbhPis Tj/hCnZwkdTQLrI6JYWgqN7TQfio=
X-Google-Smtp-Source: AGHT+IEQYcb/jIR8eRUoBodZJNh5t9wTGWeaocho3bCrAOpjDmRsUquerdRBMvzSiCMcvoXfwknVpByjtde0bwFtCcE=
X-Received: by 2002:a6b:e00b:0:b0:7c7:7c2c:a42d with SMTP id z11-20020a6be00b000000b007c77c2ca42dmr362795iog.4.1709155336389; Wed, 28 Feb 2024 13:22:16 -0800 (PST)
MIME-Version: 1.0
References: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org> <20240227220905.E06018410007@ary.qy> <641C2E38-F1A8-435B-BA6F-770FEE9AEEA5@icann.org>
In-Reply-To: <641C2E38-F1A8-435B-BA6F-770FEE9AEEA5@icann.org>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 28 Feb 2024 16:22:04 -0500
Message-ID: <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
To: Edward Lewis <edward.lewis@icann.org>
Cc: John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b10b3f061277bca6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/MQ166RCBdLW5xtawIRppSeQGJ80>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 21:22:18 -0000

On Wed, Feb 28, 2024 at 3:59 PM Edward Lewis <edward.lewis@icann.org> wrote:

> On 2/27/24, 17:09, "DNSOP on behalf of John Levine" <
> dnsop-bounces@ietf.org on behalf of johnl@taugh.com> wrote:
>
> >    The kind of load is different but in each case the client needs to
> >    limit the amount of work it's willing to do. We can forbid it in the
> >    protocol but unless you have better contacts at the Protocol Police
> >    than I do, people will do it anyway.
>
> I side with John Levine's line of reasoning, that the solution is
> defending against taking on too much work (in this case, the validator caps
> it's effort - in whatever way is appropriate).  It would be futile to
> prevent key tag collisions from happening via a protocol change as a
> malicious actor is not bounded by specifications.
>
> If it is forbidden in the protocol, it might still happen.
>

Yeah, as you might guess from my past messages on this thread, I am of the
same opinion. There is a general principle about limiting work that
resolvers need to follow, and this recent attack (like many others before
it) exploited resolvers that failed to sensibly do that. The novel thing in
KeyTrap is that it exploited a failure to bound cryptographic work, but the
same principle applies.

Here's my minor restatement of the resolver's top priority from RFC 1034:

      Bound the amount of work (e.g. packets sent, parallel processes
      started, computations performed, time spent) so that a request
      can't get into an infinite loop, start off a chain reaction or
      unreasonably lengthy sequence of tasks, requests or queries,
      EVEN IF SOMEONE HAS INCORRECTLY OR MALICIOUSLY
      CONFIGURED SOME DATA.

In the parenthetical examples of bounding work, I've added "computations
performed" and "time spent".

And in the uppercased "EVEN IF" phrase, I've added "MALICIOUS CONFIGURED".

I think the specific case of keytag collisions does deserve some special
thought though. Even if resolvers limit the number of collisions, it's in a
zone owner's interest to not have them at all. Colliding keytags in the
DNSKEY RRset means imposing additional unnecessary signature verification
work on resolvers for verifying every signed RRset in the response. And for
efficiency reasons, a zone owner should want to have their answers accepted
by validating resolvers with the minimum amount of work (and no unnecessary
work).

Banning keytag collisions outright today would not be a good idea - we risk
rendering some sights unresolvable through no fault of their own. DNSSEC
already has plenty of detractors, and we don't want to give them more
ammunition by creating problems in the ecosystem that can be easily
avoided. I think writing a BCP telling folks how to avoid collisions would
make sense though (and yes, it needs to cover the multi-signer case too).

Shumon.

v2.23.0 | Report a Bug | By Email