IETF Logo Mail Archive

Re: [DNSOP] ECDSA woes

"Ralf Weber" <dns@fl1ger.de> Sat, 15 October 2016 15:42 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34F212951C for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 08:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bBkAcskeP-7m for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 08:42:11 -0700 (PDT)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id D909E1294FD for <dnsop@ietf.org>; Sat, 15 Oct 2016 08:42:10 -0700 (PDT)
Received: by nyx.guxx.net (Postfix, from userid 107) id 4337D5F40957; Sat, 15 Oct 2016 17:42:09 +0200 (CEST)
Received: from [64.89.232.131] (unknown [199.187.216.191]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 9D5BC5F4046B; Sat, 15 Oct 2016 17:42:07 +0200 (CEST)
From: Ralf Weber <dns@fl1ger.de>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Date: Sat, 15 Oct 2016 10:42:05 -0500
Message-ID: <0A83A7D9-E7E8-4494-86F9-F19AE96967D7@fl1ger.de>
In-Reply-To: <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se>
References: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se> <c1e14584-a444-37ef-1e4c-d1077ba4f384@bellis.me.uk> <alpine.DEB.2.02.1610151717420.12036@uplift.swm.pp.se>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.5r5263)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_XFF6PDuEWltunYw8k6Im4iRmrI>
Cc: dnsop@ietf.org, Ray Bellis <ray@bellis.me.uk>
Subject: Re: [DNSOP] ECDSA woes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Oct 2016 15:42:12 -0000

Moin!

On 15 Oct 2016, at 10:22, Mikael Abrahamsson wrote:

> set up a domain with a algorithm ID nobody will ever implement 
> (reserve it if need be), and check that this domain returns as 
> unvalidated (as per SHOULD in the RFC).
Geoff Houston did some research here some years ago and just did an 
update to his findings. You might want to look at:
	http://www.potaroo.net/ispcol/2016-10/ecdsa-v2.html

> Put in a MUST in relevant standards that implementation must not treat 
> this identifier as anything but "I don't know anything about this" (ie 
> don't implement specific tests for this "algorithm" and treat it 
> differently from any other algorithm ID that is unknown).
I'm not sure a change in the standards will be possible as if remember 
correct some people think that the fallback to insecure is a not a good 
thing. So am not sure if we could achieve consensus on that. I think the 
current RFC are clear enough and later version of dnsmasq have corrected 
the problem.

> These kinds of migration scenarios to newer algorithms MUST be hashed 
> out, because otherwise we're never going to be able to deploy new 
> algorithms (and per previous experience, it seems we want to change 
> them every 5-10 years).
Yes and there is some work in the TLD space. You might want to listen to 
Ondreys talk at DNS-OARC:
	https://indico.dns-oarc.net/event/25/session/2/contribution/2

There are always issues rolling out new stuff, the sooner we encounter 
and fix them the better. So thanks for finding and pointing it out.

So long
-Ralf

v2.23.0 | Report a Bug | By Email