Re: [DNSOP] ECDSA woes
Dan York <york@isoc.org> Tue, 18 October 2016 18:03 UTC
Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEE3F1297A7 for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 11:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCSddeiD8Y7X for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 11:03:48 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0061.outbound.protection.outlook.com [104.47.41.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DC54129762 for <dnsop@ietf.org>; Tue, 18 Oct 2016 11:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.onmicrosoft.com; s=selector1-isoc-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Y5h1/CBI5e2qHhjqwclUzSu1lQKORbe75gW9n9jiyKQ=; b=x6o9P8KfLA9615ZO4KjonYbTBk6xbWCsjH7w9CnWvPh2Mmo2g4ovFIjIMHqyFcPwFMMfLB60t0IUaLk1vIjEL3jfq9Ko2Pb25ZgGREBaH4O2880vzEm2U7TSDTCsUPhwSDRnJGbNZovimSP+0aH7VwPHvEsx2CTwAMG81A2hcUk=
Received: from CY1PR0601MB1657.namprd06.prod.outlook.com (10.163.232.19) by CY1PR0601MB1657.namprd06.prod.outlook.com (10.163.232.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Tue, 18 Oct 2016 18:03:46 +0000
Received: from CY1PR0601MB1657.namprd06.prod.outlook.com ([10.163.232.19]) by CY1PR0601MB1657.namprd06.prod.outlook.com ([10.163.232.19]) with mapi id 15.01.0659.025; Tue, 18 Oct 2016 18:03:46 +0000
From: Dan York <york@isoc.org>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Thread-Topic: [DNSOP] ECDSA woes
Thread-Index: AQHSJqyRiW2l7P938EqEn+EWV9Vpj6CplBKAgAAOh4CABOP7AA==
Date: Tue, 18 Oct 2016 18:03:45 +0000
Message-ID: <57579895-55EF-439D-9E10-2F2B349E578C@isoc.org>
References: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se> <c1e14584-a444-37ef-1e4c-d1077ba4f384@bellis.me.uk> <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se>
In-Reply-To: <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [74.69.229.215]
x-ms-office365-filtering-correlation-id: 8c66c87b-b5cd-47a0-0fcb-08d3f7811ae3
x-microsoft-exchange-diagnostics: 1; CY1PR0601MB1657; 6:J7qSU1IDpptsgm059R7UtT1c3shCwJlija9VXiLV3MsiqzXHQlMF3WQQ9NmWOzcftUZt7okjucMUDBt2XgxSQ/l51lqPQDOddOb1jGLAflmrDOfDlewUS2PBXg66gKEI0XG5APNmpXFJxWXaEaxRjUfpwYKeXv0UY/HZLKZay87B79cztyIOd4waVeIIrWipqUW/7/JSoVEoWFkKXP9PW5npEZQaDCKBvDjcyU2DkwRUoJeA2iJzcSRRyX/H2g6XDqGUthAP5o1e0gVwjAtHQiH6yNu4bFjd/y8S30XBMCZfSV/vsHfRHa7QuEHlALlT; 5:zzU6BCmIXpCJu229iyINCGLk8qPvFsrxVQQO4DFf34TG9QPFybpEkvJoT1UwGOQkJmluM8ZtgnMNNQH1jaUkeFyBuqbMfYJFcyPiUhesY8yI5c5BcEXZcKyj71BvbxTMH+wJazPrsYVX9vkywNbt/w==; 24:UhHooVZWBBlHfzWFY6RPtk8OrmpUP1+O+B/5Boc5RX9ONwr5p/LLixgeD+7xMu489CyvKxAQsb+jaFyOTVRSKAFFkGh3k8MwwExlduedCG4=; 7:AFlHbjMzzruC4TO32G1IbkbPy0yP31HnaU2xXA1S46AXtrvQv+NcpuJBEO3rd+P8aJ9l+hEnellJuF5qqiMDXJpjKdHv1rQWh/3V9OhLaVkjd+GaVFVN+CCZBhZJY1FG5dVIQ8fFW7rcn9NQCxjko7V6WqeeiOPabNKQe1ES2zaSvZtRK3auvGNyfGDbEp9VlXbroWssKmdWhglVSBgrswd5j9rttn35mtxjFSsKfLwQ6nbrn0njg6thnnEa7dbOLXHaaWMnnnVZi0FI3CoTglAZpGH5qDe7Gef+H5zdatq/gVCVqHD/Z9pAfXC9sWuS7E3vC7xpQLlyTW9eVr0JkqsBx8uWIWlhGZbqk+pEVJw=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0601MB1657;
x-microsoft-antispam-prvs: <CY1PR0601MB165798649D0C0F16A9C11B8EB7D30@CY1PR0601MB1657.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(31418570063057);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:CY1PR0601MB1657; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0601MB1657;
x-forefront-prvs: 00997889E7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(189002)(199003)(377454003)(24454002)(68736007)(92566002)(8676002)(106116001)(3280700002)(101416001)(81156014)(81166006)(99286002)(3660700001)(2950100002)(6916009)(4326007)(15975445007)(77096005)(16236675004)(2906002)(122556002)(345774005)(54356999)(33656002)(86362001)(7906003)(76176999)(50986999)(7736002)(5002640100001)(19617315012)(66066001)(5660300001)(11100500001)(586003)(97736004)(106356001)(87936001)(19580395003)(15395725005)(3846002)(36756003)(7846002)(83716003)(82746002)(110136003)(2900100001)(102836003)(105586002)(10400500002)(8936002)(189998001)(6116002)(19580405001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR0601MB1657; H:CY1PR0601MB1657.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_5757989555EF439D9E102F2B349E578Cisocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2016 18:03:45.8988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0601MB1657
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z1aAND3WGxjW5GKQ3pRL7WhNnLM>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, Ray Bellis <ray@bellis.me.uk>
Subject: Re: [DNSOP] ECDSA woes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 18:03:51 -0000
Mikael, On Oct 15, 2016, at 11:22 AM, Mikael Abrahamsson <swmike@swm.pp.se<mailto:swmike@swm.pp.se>> wrote: These kinds of migration scenarios to newer algorithms MUST be hashed out, because otherwise we're never going to be able to deploy new algorithms (and per previous experience, it seems we want to change them every 5-10 years). Agreed! To capture this kind of information, a group of us wrote a draft in DNSOP about new crypto algorithms: https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-01 In section 2.1.1 we mention the situation with resolvers and unknown algorithms. However, we assume compliance with RFC 4035. Your case study here shows that we need to add some text about the challenge that can happen if the resolver does the wrong thing and fails the validation. I'll add that. Thank you for bringing this case to the list. It seems to me there is a larger issue of whether a system will "fail insecure" (or "fail open") or "fail secure". RFC 4035 has the "fail insecure" view where the DNS info is still passed along, thus allowing the deployment of new algorithms to NOT break things, although with a lower level of security until the new algorithms are supported. It seems the dnsmasq developers chose to "fail secure" thus potentially "protecting" the end user from insecure data, although in this case the data is secure, just not understood to be secure. This is one of the tougher points of algorithm change, particularly when so many of the resolvers may be in commodity customer-premises equipment (CPE) that may or may not be easily updated or replaced. Dan -- Dan York Senior Content Strategist, Internet Society york@isoc.org<mailto:york@isoc.org> +1-802-735-1624 Jabber: york@jabber.isoc.org<mailto:york@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/
- [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Ray Bellis
- Re: [DNSOP] ECDSA woes Roy Arends
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Ralf Weber
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Marek Vavruša
- Re: [DNSOP] ECDSA woes Geoff Huston
- Re: [DNSOP] ECDSA woes Ólafur Guðmundsson
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Mikael Abrahamsson
- Re: [DNSOP] ECDSA woes Ólafur Guðmundsson
- Re: [DNSOP] ECDSA woes Mark Andrews
- Re: [DNSOP] ECDSA woes Mark Andrews
- Re: [DNSOP] ECDSA woes Jan Včelák
- Re: [DNSOP] ECDSA woes Dan York
- Re: [DNSOP] ECDSA woes Mark Andrews