Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Evan Hunt <each@isc.org> Mon, 30 July 2018 23:12 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DBAF130E9F for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 16:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TN9dol7HdG-Z for <dnsop@ietfa.amsl.com>; Mon, 30 Jul 2018 16:12:38 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D23ED130DD5 for <dnsop@ietf.org>; Mon, 30 Jul 2018 16:12:38 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E26473AB03F; Mon, 30 Jul 2018 23:12:36 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id C987D216C1C; Mon, 30 Jul 2018 23:12:36 +0000 (UTC)
Date: Mon, 30 Jul 2018 23:12:36 +0000
From: Evan Hunt <each@isc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: "Wessels, Duane" <dwessels@verisign.com>, dnsop@ietf.org
Message-ID: <20180730231236.GA49194@isc.org>
References: <20180724143253.83ACC2002CE789@ary.qy> <84FAA6E0-DF87-4C3B-B033-2830AD6C7675@verisign.com> <4D279E9E-965C-4176-BCEB-EFE6D140F443@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4D279E9E-965C-4176-BCEB-EFE6D140F443@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_mDUA7Mb36g9ji39WyI9m4LWQLc>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 23:12:40 -0000

On Mon, Jul 30, 2018 at 03:44:11PM -0700, Paul Hoffman wrote:
> I am still mystified about the scenario in which a malicious zone 
> operator creates two zone files with the same ZONEMD hash, one with the 
> right set of addresses for unsigned child zones, and a different one 
> with one of more of those child zones with wrong addresses plus enough 
> other kruft to make the colliding hashes match. In what world is that 
> attack more likely than just not using ZONEMD?

I don't think the imagined attack involves a zone operator creating two
zones. It would be a zone operating creating one zone, with a legitimate
and validly signed ZONEMD, and then someone else creating a fake version
of the zone in which all the signed rrsets still validate, and the ZONEMD
still matches, but the unsigned parts have been mucked with. Adding an RR
count does make that attack more expensive. I'm not sure it makes enough
difference to be worthwhile.

Another imagined attack is someone trying to dump terabytes on you when
initiate the zone transfer. An RR count could help with that, if you
looked it up before starting the transfer.

(For the record, I neither favor nor oppose the idea. I don't see much
benefit, but I also don't see much cost.)

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.