IETF Logo Mail Archive

[DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC

Edward Lewis <eppdnsprotocols@gmail.com> Sun, 28 July 2024 00:32 UTC

Return-Path: <eppdnsprotocols@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D41BC14F603 for <dnsop@ietfa.amsl.com>; Sat, 27 Jul 2024 17:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.608
X-Spam-Level:
X-Spam-Status: No, score=-1.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AN86tndKfPCp for <dnsop@ietfa.amsl.com>; Sat, 27 Jul 2024 17:32:08 -0700 (PDT)
Received: from mail-oo1-xc42.google.com (mail-oo1-xc42.google.com [IPv6:2607:f8b0:4864:20::c42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7439C14F5F4 for <dnsop@ietf.org>; Sat, 27 Jul 2024 17:32:08 -0700 (PDT)
Received: by mail-oo1-xc42.google.com with SMTP id 006d021491bc7-5d5af8a4abbso1448775eaf.1 for <dnsop@ietf.org>; Sat, 27 Jul 2024 17:32:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722126728; x=1722731528; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=t61YEO3hR7lOrsjAT1cmP7QxZEhWZd6t2eOB07J3hBY=; b=D62TFJ8geF3UzeMe/qFhXeOLoKgsTNIHqEh/QEk5zV6975rRdpcoFa5LY8QSBrDPr5 w4qvS4QSipfTzX0gEPbKRA8piO3WaYJwoiyY1gbHDaO2meZ3bKWlYPCmoiyiJp3v5Btf K5r7E4YKv6ptMc8CxgXWvaefLyS7GIoSbizpYihQ988n+MkY3Q/l1Vs3wsSBrOC87AdJ aLO4iDnt4vmQvy17LRrkP3yd/75II9rXgJRfC6IwkFlXUZeZHuS7/IHxcM3WUAXmhTaG TjVyi1QRK3ePx8AaS52NhxwgXHVxvos5w7tPmxsNOaIpzIRGj7LLR/oCbmKtr+m/AIm+ YLzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722126728; x=1722731528; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t61YEO3hR7lOrsjAT1cmP7QxZEhWZd6t2eOB07J3hBY=; b=IJDgIIq4tP0S+TPCAWHei6MF9FWeKI+mxIoym2f5WmBZK3a4mNAfN7ySNQP59YB88z qXAM6PqEJM4iCpfj0HI7Q3bjuDR3j20wk8u9NjaaaSO6LlJseYnSno8mxgIY0d477pKJ rNgexzebCEiZ8cpEUnd4WibK+i20QCjAuDou1Ywwnx3apEjVmi7ipEVJntM9FohPpyDu zo7J2LB0S1kMrLiLMFc0/ZvkZYzEBpWuPjrh2mCrb1L3NxhP2N7H64WfQtLxaMyalm4D /dyGxUVHawIWZP+RtCRTwno/vewWz7WSSQZW0HJhUUODddcVnU+V1TnuvuIADhPrR3gL KebA==
X-Forwarded-Encrypted: i=1; AJvYcCW4txvcX9D0fScR2oF5BgGqji6nDgBiiDYcVkmujb+TLajqhbmAbrVYjFwupP7+N+yWuZ5Efuyc7ziltBGAxQ==
X-Gm-Message-State: AOJu0Yy9kvl3mpaA/xVGymwh6LYMfS+CchhLlM7VJLntIeB89DJ7F2/r VacfFu4F+L2m8nKiPzeycJLlPsGrrk3xTqi6ABBke1cmgFOH3e2h
X-Google-Smtp-Source: AGHT+IGT8zHKORUGQLJDW1krlCp85pyW8DfL/v2y9qJy6D42EHZS4ZSF29sbOay0eA5T/hpTi23Qjg==
X-Received: by 2002:a05:6358:3126:b0:1ac:f7ac:d777 with SMTP id e5c5f4694b2df-1adb243fac2mr479344555d.2.1722126727777; Sat, 27 Jul 2024 17:32:07 -0700 (PDT)
Received: from smtpclient.apple (pool-96-255-253-89.washdc.fios.verizon.net. [96.255.253.89]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a1d744552dsm366019285a.104.2024.07.27.17.32.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Jul 2024 17:32:07 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
From: Edward Lewis <eppdnsprotocols@gmail.com>
In-Reply-To: <118eb776-1f8f-4dae-808b-2be09ecbebd9@iecc.com>
Date: Sat, 27 Jul 2024 20:32:06 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <9423CE7B-E7BE-4A43-9689-BBFE9AB8F4B0@gmail.com>
References: <CAHPuVdUveYraaGtrGveKTiLgP1L19G6g6=bsKsHjsPsP5fkiXg@mail.gmail.com> <727BB4FD-2492-4B18-B4DB-80A1C3DFBCD6@icann.org> <CAHPuVdXiNJBnzE+XwCz8bN5jZkhgMSnbcbH7nhZzFwmNQTN7ng@mail.gmail.com> <118eb776-1f8f-4dae-808b-2be09ecbebd9@iecc.com>
To: John Levine <johnl@iecc.com>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Message-ID-Hash: FSHCLKW5OZOJ75GFZZZWGUNBNUKFKGHW
X-Message-ID-Hash: FSHCLKW5OZOJ75GFZZZWGUNBNUKFKGHW
X-MailFrom: eppdnsprotocols@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Edward Lewis <eppdnsprotocols@gmail.com>, Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a2Zdkuh3ko5hMba5W0VtjndtTtc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Jul 27, 2024, at 20:00, John Levine <johnl@iecc.com> wrote:
> 
> I am a bad person. My zone uses the new algorithm and I put in two keys with the same tag. Now what? Other than perhaps stopping at two keys rather than three, what is the difference in what resolvers do?

Answering just to further exploration of this - a resolver could elect to declare a service failure if it sees two keys in a DNSKEY resource record set suffering a collision.  (Caveats - same DNS security algorithm as well.)

Resolvers already are allowed to behave according to local policy and refuse to “work too hard” to validate data.  An idea I think is often overlooked is that the beneficiary of DNSSEC are resolvers (specifically caches), DNSSEC is supplying them cryptographic data to decide whether a data set has made it form the source to them unscathed.  Often we (collectively) talk about DNSSEC being an extension of a zone administrator’s policy, but it isn’t, despite the zone setting all the parameters.

As part of my answering to "further exploration", I’m skeptical that it is possible eliminate key tag collisions from the protocol.  Not that collisions are in anyway desirable or are worthy of being tolerated, my skepticism is whether or not elimination is possible.  Which is why I was thinking of where it would be enforced - in a benign setting at the primary, which of course doesn’t mean it would catch malignant/malicious use cases.  For the latter, the resolver is where duplicates would be, well, “forbidden” from causing wasted cycles.

v2.35.0 | Report a Bug | By Email | System Status