IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Mark Andrews <marka@isc.org> Tue, 27 February 2024 21:15 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E89EC14CF15 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 13:15:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="PF5z6VTv"; dkim=pass (1024-bit key) header.d=isc.org header.b="KR9/yzJb"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmykznZkJVBf for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 13:15:21 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45E0CC14F70E for <dnsop@ietf.org>; Tue, 27 Feb 2024 13:15:21 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id DBBFA3AB1B2; Tue, 27 Feb 2024 21:15:20 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org DBBFA3AB1B2
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709068520; cv=none; b=BUjrq+urT2sb/vqBKqxrS/RhT7nDOp+ASiKwk0PxOVj0w6MiqY/epS6fEcXgwEjp9Dg1MNHka/ILtn9LcsBQc/zsIr+g8wPwaVsht6XXjAlZ9KBJ7y6eqHim5c8e/EiIyKqCuJP4CFbjup1bE5HBSoJfTXGKApX0vqkE6tNPdYw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709068520; c=relaxed/relaxed; bh=VvAFEQ7bqlpAlxo8fGyVhsFHiqOCwUmepCm14j9dnbw=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=T9Xsus7IuB2mH40OGdHMDAtV9e5lGvbEfybUYQSVTMu9cDgDBETWhiIXtrIad4TazZPD8H/nVMs0peM3u71fe77gOWOZUXzRyBXetHLH75mSBTPK7ZoXhki8yn3l+v7Fiyxg5Onza1VVOrPcdzm+xMS8ZwzPJxW86KCExf5Kl1I=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org DBBFA3AB1B2
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1709068520; bh=+32CjkLNBeg9fyUZ+A4KePCcvdKedwoCDEMVzfFkrks=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=PF5z6VTvEmXGVc8U3/rSSog5oyhbPwLunGU3B/tfF3OBmHL35XQpl/35BBRiDlLHW UjCJbejImwxuEJTCdVcyVnCTEPIZRwo11aKUUaNfIh59qi7YQOUJ9jTQUIXrmWU41E zK1Kpgo5J9bkio02Remb79VApCkn/C0H2K/A4sV8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id D81FF114B5DE; Tue, 27 Feb 2024 21:15:20 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id B3744114B5E0; Tue, 27 Feb 2024 21:15:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org B3744114B5E0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1709068520; bh=VvAFEQ7bqlpAlxo8fGyVhsFHiqOCwUmepCm14j9dnbw=; h=Mime-Version:From:Date:Message-Id:To; b=KR9/yzJb/ElayQIzVbPF1R+/QchYz5P1VUbtfZEu8FStm6Z5R5mV2UCuTcilcjqdJ TAbyF3o1QVRWO/mnahCOWeW3CcS2kRfqfO5o8jyEhxH8tYiRMC1JsWUGUfeg1PgorN EEEKFHpIjqqRQmBtQg5UkISBZpfdiUY19GI1B/sE=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id rkbUv2zspVDK; Tue, 27 Feb 2024 21:15:20 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id BDA24114B5DE; Tue, 27 Feb 2024 21:15:19 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <c5a885e7-0790-4061-8311-a03cb5ac9dee@desec.io>
Date: Wed, 28 Feb 2024 08:15:07 +1100
Cc: Jim Reid <jim@rfc1035.com>, Joe Abley <jabley@strandkip.nl>, IETF DNSOP WG <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org>
References: <AB885381-32F3-4CEA-8FA9-9E727EABCB5A@rfc1035.com> <662C2C75-EB81-42DB-94E0-822360B0664E@strandkip.nl> <2352E7C1-DF06-4548-AF3F-F643481991F1@rfc1035.com> <c5a885e7-0790-4061-8311-a03cb5ac9dee@desec.io>
To: Peter Thomassen <peter@desec.io>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VVY5WPvlR8lIbxC1FTsbsceZtEY>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 21:15:25 -0000


> On 28 Feb 2024, at 05:52, Peter Thomassen <peter@desec.io> wrote:
> 
> 
> 
> On 2/16/24 17:19, Jim Reid wrote:
>>> If a zone's signatures and keys are constructed and published in such a way that it causes indigestion in validators, and as a consequence validators fail to return responses for data in that zone, that's a self-inflicted problem and the zone administrator surely has every incentive to fix the problem. If the tools the zone administrator is using make the problem hard to make, then so much the better.
>> If validators can also make this problem hard to make, that’s so much the better too. That should give signers a strong incentive to fix their self-inflicted problem and stop hurting validating resolvers.
> With (some) validators returning SERVFAIL when encountering a keytag collision, any operator adding a DNSKEY (e.g., for rollover) will, in roughly 2^-16 of cases, break their zone without notice.
> 
> It's not clear to me how one would characterize such validator policy as "mak[ing] this problem hard to make".
> 
> It rather seems like inviting instability, then telling the signer "well, you knew...! Or should have, at least."
> 
> I don't see in what way that's better than what we have with the current fixes, which successfully address the problem and (AFAICS) don't need to be touched again.

The current “fixes” still leave validators more vulnerable to cpu exhaustion attacks than eliminating colliding key tags in the signer does. This is a protocol bug that leads to cpu exhaustion.  We, the IETF, have a duty to fix this at the protocol level.  Vendors of signers then have a duty to fix this in their products.  It that requires writing new tools to co-ordinate in the multi-signer scenario then so be it.  I write the last as a vendor that would need to write such a tool.

We have spent time bringing down the number of iterations in NSEC3 records due to CPU exhaustion.  What is the difference with fixing this with DNSKEYs?  Is it "I don’t want to touch my code”?

> Best,
> Peter
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email