Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)

Paul Wouters <paul@nohats.ca> Tue, 28 March 2017 15:48 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3861294A8 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 08:48:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QdoJAVlYVvfs for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 08:48:00 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8322128D40 for <dnsop@ietf.org>; Tue, 28 Mar 2017 08:48:00 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3vswJs4QWjz359; Tue, 28 Mar 2017 17:47:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1490716077; bh=u9fUO6TlMQM1wK+M1e4QUkcnNAZFikNOb+lWsXbtyVA=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Sq1a6e2phu+XqSRA02/q/cy7Wr4ho1Cdwu0bHxUn8it+fnt7deVjRoJwQggCcd6LM HtNYXWzFrH4aUB4U5w+eRFSNQk88g6knfvX8D/2k5HeLlmTmHhDpHrgIU0i7oN3lPb 6euEGaEe72C1R8DPpmlmuJ8g+JkxnJQd3NvetRIg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ZF6c1lwYgDJC; Tue, 28 Mar 2017 17:47:56 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 28 Mar 2017 17:47:55 +0200 (CEST)
Received: from [31.133.141.251] (dhcp-8dfb.meeting.ietf.org [31.133.141.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id E633E3943A0; Tue, 28 Mar 2017 11:47:54 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E633E3943A0
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <c8b5b809-8e96-c45a-e693-5e6e266c5088@nic.cz>
Date: Tue, 28 Mar 2017 10:47:54 -0500
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AC7A76FA-8291-439D-9F02-709F392701CE@nohats.ca>
References: <58D96BC0.9040701@redbarn.org> <20170328024127.GC96991@isc.org> <CAM1xaJ-gCKqm63BuNszLxyt0_HevXSwB5H0+wg4ugatZSFJNPA@mail.gmail.com> <alpine.DEB.2.11.1703281532260.13590@grey.csi.cam.ac.uk> <20170328150503.GA21064@isc.org> <c8b5b809-8e96-c45a-e693-5e6e266c5088@nic.cz>
To: =?utf-8?Q?Petr_=C5=A0pa=C4=8Dek?= <petr.spacek@nic.cz>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aKPQqob087avvLEMV1gPaicIXGs>
Subject: Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 15:48:04 -0000


> So again, MUST NOT is the right choice. I'm going to write tests for
> Knot Resolver to ensure we never set AD bit for zones signed using MD5.
> Right now.

If you want to accomplish this, why not actually follow the MUST NOT and remove MD5 support so it is treated as unsupported algorithm and also won't get an AD bit? That way your code has no MD5 specific handling.

Also, as PaulH reminded people, MD5 != HMAC_MD5 and I'd be shocked to see a forged MD5 signature.

Paul