Re: [DNSOP] [Ext] About key tags
Ted Lemon <mellon@fugue.com> Thu, 29 February 2024 17:36 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B98C180B77 for <dnsop@ietfa.amsl.com>; Thu, 29 Feb 2024 09:36:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bQWv2ITJDqf3 for <dnsop@ietfa.amsl.com>; Thu, 29 Feb 2024 09:36:36 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BBC2C180B74 for <dnsop@ietf.org>; Thu, 29 Feb 2024 09:36:36 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id af79cd13be357-787a2a14cd1so78062685a.0 for <dnsop@ietf.org>; Thu, 29 Feb 2024 09:36:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1709228195; x=1709832995; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AfyXgGWryllCHfX+vT1Z/q+leg63xB3lw3HXt48HTKw=; b=NtqjAVqOimdLGl6eevKnHfIqAcEz9+GiEBYAPRKRip4SeD/LSIZY0Wqz0lM4mMFzt0 IlQYKF2+3TlQh8NbTFC+cZpc6NFqp1ZHme+cB0VeADzGRsXZBImBE7Xg9anaXuXuEFpI tun2wJi/prXEAA1YgeHXgfVtFzCfrIkJc6fR35jAgCOHYT+/h2ZYH79KLPSsuAV25M6q uFVRwvyUBqDQSJ2OUnY9iFhH/+tvof3zviL+Qa2FPskFkMuNFBXJh7eHflQno3NrR3Vl d7evYKrHmOQUhtAMn3gzJaOlbECWQ7/7SbvfZb43vZ9up9K2kOtaWp5LFd1zhM0N/1EK 6gsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709228195; x=1709832995; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AfyXgGWryllCHfX+vT1Z/q+leg63xB3lw3HXt48HTKw=; b=RW6txs1HOBZJ8SMIvh/B+KV+Yu2+L2LKxEaW96lwv7jQSozMIbXr/X73+XQbnOhq5u Ads/bscWNwJybBaA8mYtgEnx2W4218nemKDCCTZw/hccSItf1JXrR5PfloJTxA1t/9FC HmOphlYg5aS8+rKas931E2DRhC7OkRr4fAEBE0HNlkD4aI+DEywaLUpkPkw42CFsYFBL 06LDQchQQEMXaGMn6gTV4/EcyFQgWwtn2rusARtP9/U9SIVU5aCdP4gudgn3aewJlDjI 2EESvNQfZFojDw1cDbVqiBZBXVBGzSkjhHpFaVthSTeTmlsJmm5ZOGbw5v09SCzTusY/ Svow==
X-Forwarded-Encrypted: i=1; AJvYcCUdDTlznxVOsFzIAqXLKb/BfQl1sHVvM87CE5J3aAb2wNl86fgv81I6aTrvhVPs436ViU6JdAjOCIuVS++yDA==
X-Gm-Message-State: AOJu0YyRQ8Dg1guDNRLUeHDWZPhhEXWmgWm0XjBsC8bNeGzTFzr/Svgf ixmy0M6E10bICduROtdSlgKV1p+EGgNGpmKZOTA8eb9uNq5o61qLt0o9dK/dqa2jZEJPkB+MVvx 5zebSMU4OWfPNWbKI0lrMPGTrct3kLv1AMAee3A==
X-Google-Smtp-Source: AGHT+IEJPr5+v1yxj50xX8XBQQODqLFhjczxbLXkk0g0ChhlkcwpYNnyf29sMmVAPmDRpkgpsdlECwsfN4qz8j71xGE=
X-Received: by 2002:a0c:da88:0:b0:68f:2f35:4b3d with SMTP id z8-20020a0cda88000000b0068f2f354b3dmr3021667qvj.35.1709228195130; Thu, 29 Feb 2024 09:36:35 -0800 (PST)
MIME-Version: 1.0
References: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org> <20240227220905.E06018410007@ary.qy> <641C2E38-F1A8-435B-BA6F-770FEE9AEEA5@icann.org> <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com> <4F386814-7ED3-47D3-81C1-1E575FD3C686@icann.org>
In-Reply-To: <4F386814-7ED3-47D3-81C1-1E575FD3C686@icann.org>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 29 Feb 2024 12:35:58 -0500
Message-ID: <CAPt1N1nei66Gn3zRyUwVLXC9=xQR20F=d35jAGFkbmPwPwUf=Q@mail.gmail.com>
To: Edward Lewis <edward.lewis@icann.org>
Cc: Shumon Huque <shuque@gmail.com>, John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000694c2c061288b3f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bPkaztm1DQhg-x0oOKsPp2Q2zYk>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 17:36:38 -0000
I think it might be worth distinguishing between caching validators and end validators. For an end validator, doing a second validation is not going to be a serious issue. The Apple DNSSEC validator currently does not allow key tag collisions at all, but it's not yet in heavy use so I wouldn't want to suggest that this is the correct behavior. In our internal discussions we've concluded that allowing a single collision is okay; more than that is not okay. But our validator isn't going to be easily subject to the kinds of attacks we're talking about, because it's on an end device. The case Ralf is talking about is probably the more important case to consider. In Akamai's case, this attack is much more likely to actually cause a serious problem. So allowing a multiplier of 10 seems bad. Allowing a multiplier of 2 (allowing one collision) is also fairly bad. It really doesn't seem that hard to me to completely forbid key tag collisions. I'd like to hear a clear argument for why that's not doable, and not just some hand-waving about how it's complicated and someone might get it wrong. Zones with multiple offline signers are as far as I know the exception, not the rule. I think we can come up with some straightforward heuristics for ensuring that we get it right in those cases. It really should not be on the caching resolver providers to pay the cost of poor authoritative server operational practices. On Thu, Feb 29, 2024 at 7:52 AM Edward Lewis <edward.lewis@icann.org> wrote: > *From: *DNSOP <dnsop-bounces@ietf.org> on behalf of Shumon Huque < > shuque@gmail.com> > *Date: *Wednesday, February 28, 2024 at 16:22 > *To: *Edward Lewis <edward.lewis@icann.org> > *Cc: *John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org> > *Subject: *Re: [DNSOP] [Ext] About key tags > > > > >… I think writing a BCP telling folks how to avoid collisions would make > sense though (and yes, it needs to cover the multi-signer case too). > > > > I support that. Key tag collisions make one of my pet projects > (visualizing key management over time) cry. And collisions are a > multiplier in a malicious use case. Discouraging them is a good thing. > > > > The point I’m belaboring is how the issue of resource over consumption is > addressed matters. We can’t ban the problem out of existence, even if it > were simple to restrict it from ever happening, we need to enforce this > where the resources at risk are managed. > > > > If this means a validator experiences some false positives, I could live > with that. There are very few good reasons to have a complex DNS set up > and such situations are supported and tolerated in the protocol that > doesn’t mean they are good ideas or have simpler alternatives. > Discouraging wacky configurations isn’t a terrible thing to do, especially > since we can have (or imagine) highly complex signing scenarios which > could, if the planets align correctly, permit a key tag collision no matter > to what length we go to prevent a collision from seeing the light of day. > > > > Keeping in mind - this entire topic is covering the non-usual state of the > protocol, one that fears a malicious activity I believe has not been > encountered in the wild. (If no action is taken, malicious activity might > follow now that it is described, but I have not heard of a historical case > of it.) We are dealing with the odd, we need to mitigate its impact, > eliminating it might just be -relatively speaking - too much work. > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] About key tags Mark Andrews
- Re: [DNSOP] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Havard Eidnes
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Yorgos Thessalonikefs
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Donald Eastlake
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags and sensible lim… John Levine
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and their infreq… John R Levine
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags and collision nu… John R Levine
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and collision nu… Mark Andrews
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Lanlan Pan
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags Dave Lawrence
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček