IETF Logo Mail Archive

Re: [DNSOP] [Ext] More private algorithms for DNSSEC

Mark Andrews <marka@isc.org> Tue, 29 March 2022 21:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D97983A059F for <dnsop@ietfa.amsl.com>; Tue, 29 Mar 2022 14:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=TeG0Gkmg; dkim=pass (1024-bit key) header.d=isc.org header.b=JIh+NMVk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yoK6l_mzvXrr for <dnsop@ietfa.amsl.com>; Tue, 29 Mar 2022 14:45:37 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E303A0597 for <dnsop@ietf.org>; Tue, 29 Mar 2022 14:45:36 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 4AB0F3AB007; Tue, 29 Mar 2022 21:45:35 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 4AB0F3AB007
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1648590335; bh=BcANvMsarjsOQ3AwbYHjBQEdjIG/off4e6g2+Moe79U=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=TeG0GkmguH8CyY4c8pKgaIx3Q+rUEESgULSDY9Wn+bLmziollMldQ3NNqcHzSRRjF gMG1YxhvrxMDjGc4G+UchG/a8HMUMdv1g2Yfu4H3RFMAa6cHpFZGMKswUPeTCKAUml uS+gLuzv65zgzNTuOuBue7AX7SC8tckKwlWU146A=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 70EA2110558E; Tue, 29 Mar 2022 21:44:31 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 47CD21105591; Tue, 29 Mar 2022 21:44:31 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 47CD21105591
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1648590271; bh=USEnl6uO0mmCUeEVLblrk63wtE1sGyzJYHwNfy1ALDM=; h=Mime-Version:From:Date:Message-Id:To; b=JIh+NMVk30t4JdgEvwSYlcrcVRa+V1dnZWWINU/JIfTCCfDNUWOLFa60Mnum/0km3 bNtFiJ02i5Lke4Gt/WZubQVy2pV61vYH6Bw4gPKGeyhEkW72/CTs2QFUI02fbRgSLb dsiq+YGMeT+IeXkmmqqddgprqtaXqymkkLE/CCOg=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LEh1r_I_bBA8; Tue, 29 Mar 2022 21:44:31 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id 73DBB110558E; Tue, 29 Mar 2022 21:44:30 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <C65EB811-E636-4732-AB41-2DE32A297D5F@isc.org>
Date: Wed, 30 Mar 2022 08:45:31 +1100
Cc: dnsop WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D82CAF7B-9EA7-4CC1-97C9-320A9696BC55@isc.org>
References: <585479E8-293C-42D4-BA2F-7FD99B27EBDE@isc.org> <C65EB811-E636-4732-AB41-2DE32A297D5F@isc.org>
To: Paul Hoffman <paul.hoffman@icann.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OikUItcoa4Of0MNiHzj458cB3KY>
Subject: Re: [DNSOP] [Ext] More private algorithms for DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 21:45:42 -0000

To fix this we need to extend DS to say that for any newly allocated digest types that they must include
the matching DNS name for algorithm 253 and the match IOD for algorithm 254 before actual digest in the digest
field.  Then allocate PRIVATE SHA256, PRIVATE SHA-384 and PRIVATE GOST R 34.11-94 which are replacements for
SHA256, SHA-384 and GOST R 34.11-94 respectively that support pre-publishing DS for PRIVATEDNS and PRIVATEOID.

> On 29 Mar 2022, at 08:08, Mark Andrews <marka@isc.org> wrote:
> 
>  Note you can’t prepublish a DS to roll keys  you need to publish the DNSKEY first. 
> 
> -- 
> Mark Andrews
> 
>> On 29 Mar 2022, at 05:33, Mark Andrews <marka@isc.org> wrote:
>> 
>> 
>> 
>>> On 29 Mar 2022, at 01:34, Paul Hoffman <paul.hoffman@icann.org> wrote:
>>> 
>>>> On Mar 27, 2022, at 6:23 PM, Mark Andrews <marka@isc.org> wrote:
>>>> There is zero reason to reserve any ADDITIONAL space for experimentation.
>>> 
>>> Assume that you want to experiment with creating responses that have multiple as-yet-undefined algorithms. How would you do that today? Differentiating in the RRdata, as is done today, would create a single RRset in the response.
>>> 
>>> --Paul Hoffman
>>> 
>> 
>> You would add records of type 253 with “alg1.example.org” as the first algorithm name, “alg2.example.org” as the second algorithm name where example.org is a domain you control. If someone else is running another experiment they add 253 with the algorithm name specified as “alg1.example.net” where example.net is a domain they control.
>> 
>> When you are checking if you support a particular instance of PRIVATEDNS you check the algorithm name as well as the algorithm number (253).
>> 
>> For working out if the DS record indicates support for your PRIVATEDNS algorithm you need to find the matching DNSKEY based on the hash and extract the PRIVATEDNS algorithm name.  If you can’t find a matching DNSKEY the DNSKEY RRset is bogus as the DS record says that the DNSKEY record exists.
>> 
>> If you want to see how this would work add “PRIVATE-RSASHA256” using RSASHA256.ICANN.ORG as the first algorithm name and “PRIVATE-ECDSAP256SHA256” with ECDSAP256SHA256.ICANN.ORG as the second name as a starting point where they are reimplementations of RSASHA256 and ECDSAP256SHA256 respectively.  Throw in “UNKNOWN.ICANN.ORG” with some random data as the rest of the key.
>> 
>> About the only part not already specified is matching DS to DNSKEY using PRIVATEDNS but as you can see it is obvious to anyone with a little bit of cryptographic understanding.
>> 
>> Mark
>> -- 
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email