Re: [DNSOP] One more bit of Whiskey Tango Foxtrot on key lengths...

Nicholas Weaver <nweaver@icsi.berkeley.edu> Fri, 28 March 2014 12:24 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C0671A0430 for <dnsop@ietfa.amsl.com>; Fri, 28 Mar 2014 05:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbZGJRUdv0EQ for <dnsop@ietfa.amsl.com>; Fri, 28 Mar 2014 05:24:32 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id A565C1A0636 for <dnsop@ietf.org>; Fri, 28 Mar 2014 05:24:31 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id D7BE22C4053; Fri, 28 Mar 2014 05:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id HaxTX0j68djD; Fri, 28 Mar 2014 05:24:29 -0700 (PDT)
Received: from [10.0.1.22] (c-76-103-162-14.hsd1.ca.comcast.net [76.103.162.14]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 1D5B42C4010; Fri, 28 Mar 2014 05:24:29 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_C1B5F6AD-12DA-4CC5-9CF5-8EA39A712699"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <20140328083451.GA2699@nic.fr>
Date: Fri, 28 Mar 2014 05:24:27 -0700
Message-Id: <DCEC9EED-2E71-4286-89D7-C69EDF9EA6C0@icsi.berkeley.edu>
References: <596FB4BA-D567-40B5-B48B-624E58435800@icsi.berkeley.edu> <20140328083451.GA2699@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/VBVcXuThoL-f2NVR1evwX-C2Wxs
Cc: dnsop WG <dnsop@ietf.org>, Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: Re: [DNSOP] One more bit of Whiskey Tango Foxtrot on key lengths...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2014 12:24:34 -0000


On Mar 28, 2014, at 1:34 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:

> On Thu, Mar 27, 2014 at 01:15:00PM -0700,
> Nicholas Weaver <nweaver@icsi.berkeley.edu> wrote 
> a message of 75 lines which said:
> 
>> But fixing this going forward requires a 1-line change in the ZSK
>> script:
> 
> I have nothing against longer keys but this sort of sentences ("DNSSEC
> is simple, anyone can do it in five minutes") is a sure way to inflame
> me. It is not sufficient to change the script, you also have to search
> if it can break things later. A typical example would be the larger
> response to the DNSKEY query. If changing the key size make it larger
> than the MTU, it _may_ create problems.

It doesn't.  If you have 2 DNSKEYs and one RRSIG, a 2048b KSK and a 1024b ZSK, it goes from 750B to 880B.  With two ZSKs it goes to 1100B.  You only have an issue if you have 3+ ZSKs valid.

Or then you have cases like .org, where you are using 1024b ZSK keys but because there are enough and a key roll of the KSK and other crud going on right now, its ALREADY busting the MTU limit as you have 2 1024b keys, 2 2048b keys, and 2 2048b RRSIGs.  So if MTU was an issue, that would already be up and biting people...

> dig +dnssec DNSKEY org @199.19.56.1
...
;; Query time: 123 msec
;; SERVER: 199.19.56.1#53(199.19.56.1)
;; WHEN: Fri Mar 28 05:16:16 2014
;; MSG SIZE  rcvd: 1625


Yes, its deliberately inflamitive on my part to say its "just a 1 line change", but sweet jeebus people: IF DNSSEC wants to actually be taken, you know, seriously as crypto, using 1024b signatures in the key positions of root and the TLDs is not gonna cut it.  It is safe to assume that 1024b RSA is broken by nation state adversaries.  NIST recommend it it be deprecated in 2010, and all use stopped in 2013.

And the code paths are well tested: resolvers hit fragments more than enough on DNSSEC for any resolver which validates and has fragment issues to have sucky performance as it dropped its MTU to 512b [1], while since the KSKs are 2048b the crypto is already flowing, the code paths are well tested.



[1] Yes, I've many times pointed out that the first stage EDNS0 fallback should be to 1400b, but I doubt that code has changed at all yet...

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver@icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc