IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags and their infrequent collisions

John R Levine <johnl@taugh.com> Wed, 28 February 2024 17:42 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9A9C14F619 for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 09:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="QZZHEcWF"; dkim=pass (2048-bit key) header.d=taugh.com header.b="R0mdftjH"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sl9-K6Cy8oeV for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 09:42:12 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37308C14F68F for <dnsop@ietf.org>; Wed, 28 Feb 2024 09:42:11 -0800 (PST)
Received: (qmail 96529 invoked from network); 28 Feb 2024 17:42:09 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=1790f65df7071.k2402; bh=wsk3t8WnyR7/YfUMlQPKJTskLfBh+4jgmz5NriNGI4g=; b=QZZHEcWFcnaFw3bjCyAdDp3sKfWqOnnZnzjfZi1yTc/5P5zEcmT/ScARg/v+DhN9IsdsUeKakd79HgPYOR3hn40DmZx6XPycEItZGtGn3cerRAuT3RklEAfP6jZRZDamjisg7V2+ZNq+ZhHDAv9oWcPITsbiJTfm+aQycpvYV86O2nYwN+qij+IN0Hwc546OyQEl89thYlx9IRV+WMbz4C/pY6ht8cPFwapJj30jEaAbbWrSHo13tmMPZsJx+93Dx0AA9/Ye7YsRajIwAK6+KbHfptrR4/sHLa7TozKwTSf57rB+9uWNB1N4BnJPLvLEGs9+Z8B2hjBx9ejj52L36A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=1790f65df7071.k2402; bh=wsk3t8WnyR7/YfUMlQPKJTskLfBh+4jgmz5NriNGI4g=; b=R0mdftjH2zsY+7CAWoMV4ZfZze6h7FJdaWek/4zmQtVFlzFtJkn31CueBJqECKP8PkqR8/xioCn64vR+FlCXfaqINVfkPNHoPtnp4c5FAx/nEKaQqmF+GcURmMqxkM6pu7MAeFmp2UpbZk0rSkVYRHiqpW/t8m1KCRGRl9ntgDKyIUsAcNghVtC8lpMIIBaE8GnAHF4Sdy8E6Zcp79sAnC1z1q4gFJ66HU+7+fyrj5VAyIrabvLv5ayPyI9sE7BqR1SL+VXX28LjmG5d5Y1bV7/XgUs5PlimtBIGInwmV1488zACX89bXcOTBKyHWb+RZeUmKW5CybsnOGLpkwh4DQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 28 Feb 2024 17:42:09 -0000
Received: by ary.qy (Postfix, from userid 501) id 3CAA8841B05D; Wed, 28 Feb 2024 12:42:08 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 9C5A0841B03F; Wed, 28 Feb 2024 12:42:08 -0500 (EST)
Date: Wed, 28 Feb 2024 12:42:08 -0500
Message-ID: <20f4b7c3-1123-2b35-95a6-c8d6a0f2a8d1@taugh.com>
From: John R Levine <johnl@taugh.com>
To: "libor.peltan" <libor.peltan@nic.cz>, dnsop@ietf.org
Cc: peter@desec.io
X-X-Sender: johnl@ary.qy
In-Reply-To: <0dbcd653-878e-4726-9a89-56655f8365eb@nic.cz>
References: <20240227202409.70647840DF26@ary.qy> <0dbcd653-878e-4726-9a89-56655f8365eb@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_AdlS5d--MpsoM4nXrCL6NOPt_E>
Subject: Re: [DNSOP] [Ext] About key tags and their infrequent collisions
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 17:42:17 -0000

On Wed, 28 Feb 2024, libor.peltan wrote:
> Dne 27. 02. 24 v 21:24 John Levine napsal(a):
>> The total number of domains where I found duplicate tags was 105.
>> 
> As I said earlier, is while I appreciate such research, I warn against 
> misinterpreting it. The main point isn't about the zones that are currently 
> experiencing a keytag-conflict; it's about the zones where there is a 
> potential threat that they might do tomorrow (considering the case when many 
> mainstream validating resolvers would start enforcing strong 
> keytag-conflict-intolerance).

Sure, but my point is that you don't need to overthink this.  If your 
cache stops when it sees 8 or even 5 colliding IDs or signatures, the 
chance that you will fail any real queries is vanishingly small.  You can 
mitigate the problem without any complicated thread or schedule management 
or protocol changes.  You'll still handle the real cases where a few IDs 
collide by accident.

In retrospect it would have been a good idea to pick a less lame checksum 
but I suppose if it's good enough for TCP, it's good enough for DNSSEC.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email