IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

John Levine <johnl@taugh.com> Sat, 02 March 2024 22:49 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE197C14F6B8 for <dnsop@ietfa.amsl.com>; Sat, 2 Mar 2024 14:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.159
X-Spam-Level:
X-Spam-Status: No, score=-4.159 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="fMXNoSq2"; dkim=pass (2048-bit key) header.d=taugh.com header.b="UxzAWpLt"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpejPnvxJJWt for <dnsop@ietfa.amsl.com>; Sat, 2 Mar 2024 14:49:34 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D91C1C14F5F6 for <dnsop@ietf.org>; Sat, 2 Mar 2024 14:49:33 -0800 (PST)
Received: (qmail 57213 invoked from network); 2 Mar 2024 22:49:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=df7b65e3acfb.k2403; bh=if8ytHxKmT7eEK9fT84NX7E9G+fEZlXa3FKGLxPRHRs=; b=fMXNoSq2vFg2XTb4+XQT1MYNzMrdAmP3LpTEJA1Zrg+VHFCNDEFM3aNrMf6VPbOBKJbsnQhAVKrE9UthWA5lFatY1chXg+Ijc9IbdmTEToplpFfrv7LIIbEAPyu1TF3FL55SouoeFiOzeaXczkgQeX+f8vRed2NrQtAJkFDyQRWwHQwA0PNAvb22mKFfBAitr6L1t6oEjXaGZXtdsh1BTL1momznVSfEL3lfj67lr8Nwl7xanKzqa4LcdNKVzHyOQN34qrm3YW5n5CIgKU34oph5UV9+R7ytmCcHnIL/JyGjBNNrcpHX3k5RQp/iZbH7fgZ17TxXeBsPzLezzIxb4g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=df7b65e3acfb.k2403; bh=if8ytHxKmT7eEK9fT84NX7E9G+fEZlXa3FKGLxPRHRs=; b=UxzAWpLt7eVDiK8mC8VJfb7K8XLwmKoen6nErrxgRV66L37ioPQpCncYcNF8DTi6/Q4Lxdj75bc7Ikflq5JzoKY2zY3lvYuxnq0eD90EnxWvsPzxBMdK4wFAs1MirO8CpBI64P6a2PYOGO07XuzMEbpHJDfHZ88DPHncv+yr+JckZRz0Udu3QZ/A7s2TSCxPs8mc6b4/xyshqMnfTqsa0PXq9BfaN+WuZcRZ0t0bFq2OkeWFLGhSSBo57rmvay0te2wm9T3YTvmwjdAohbrQIKTI/hqkvSS6E5fWlQnOGzWC0EZ/iJubtaOakBH5+fvVMv6bMwRIn6ZswFnonfIWXA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 02 Mar 2024 22:49:30 -0000
Received: by ary.qy (Postfix, from userid 501) id A882E845316A; Sat, 2 Mar 2024 17:49:30 -0500 (EST)
Date: Sat, 02 Mar 2024 17:49:30 -0500
Message-Id: <20240302224930.A882E845316A@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <CAHPuVdWP6kogMaBeDGESOPbTSHBVmZvnKg7dw-uBCh_W5Rz25A@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PuKKjPIDMdShThhzX50DUzBBdrM>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2024 22:49:38 -0000

It appears that Shumon Huque  <shuque@gmail.com> said:
>Yes, I agree. (Banning keytag collisions, if we are proposing that, is a
>protocol change.)
>
>Not also that DNSKEY set "coherency" is not really the issue. Even for a
>single signer they may be temporarily incoherent across nameservers because
>of normal change propagation delay. Multi-signer operations (for steady
>state or for a transitional state needed for DNS operator changes) can
>extend that period substantially. Collision avoidance is about the key
>generation process and the set of entities involved.

ISC has this nice page about how they dealt with keytrap:

https://www.isc.org/blogs/2024-bind-security-release/

About halfway down is a section "DNS scalability: the good, the bad,
and the ugly" which lists all the different ways a buggy or malicious
server might return stuff that is expensive to process, and then
points out that it is not a bug that the spec does not put hard limits
on any of them. As the Internet has evolved, people have come up with
clever ways to use the DNS, and the lack of hard limits enables it.
The obvious example is CNAME which was originally intended as a
temporary forwarding address but has evolved into all sorts of
mutlti-step cross-domain use without which CDNs would be impossible.

So of course we will describe all the ways we know to detect
and deal with scalability problems, but the solution (so far at
least) has never been to invent a new hard limit.

R's,
John

v2.23.0 | Report a Bug | By Email