Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)

"Paul Hoffman" <> Tue, 28 March 2017 13:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1254912932A for <>; Tue, 28 Mar 2017 06:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OwBoRcrfm1nZ for <>; Tue, 28 Mar 2017 06:48:51 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D1F351201F8 for <>; Tue, 28 Mar 2017 06:48:51 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.14.9) with ESMTPSA id v2SDmcvp045165 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 28 Mar 2017 06:48:40 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: "Paul Hoffman" <>
To: "Evan Hunt" <>
Cc: "" <>
Date: Tue, 28 Mar 2017 08:48:48 -0500
Message-ID: <>
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Mailer: MailMate (1.9.6r5347)
Archived-At: <>
Subject: Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Mar 2017 13:48:53 -0000

On 27 Mar 2017, at 21:41, Evan Hunt wrote:

> On Mon, Mar 27, 2017 at 12:45:04PM -0700, Paul Vixie wrote:
>> also, a validator that outputs "secure" based on MD5 inputs is making 
>> a
>> promise it can't keep.
> MD5 is known to be breakable

Please: let's be careful with our wording here.

There are widely-understood and widely-implemented attacks on MD5's 
collision resistance, reducing it from the design-level of 2^64 to 
somewhere around 2^30. In other words, it is trivial to create messages 
that have MD5 collisions.

To date, there have been no public papers showing any preimage attacks 
on MD5 reducing its design-level of 2^128. There may be privately-known 
attacks, of course, just as there might be for any cryptographic 
algorithm. A researcher who shows a preimage attack on MD5 would get 
huge recognition within the cryptographic community, so there is a 
strong motivation to try. So far, none has been forthcoming.

To date, no one has publicly described how a collision attack would help 
an attacker in DNSSEC. Such an attack would be *very* interesting to 
this community. If you know of such an attack, please say so here or in 
a cryptographic forum.

It has been over a decade since the collision-based attack on PKIX 
certificates was described, but since then none has been described for 
DNSSEC. In specific, because we now know that collision attacks on SHA1 
are feasible and will probably get better over time, this community 
should understand how such an attack could affect us.

For more information on cryptographic attacks on hashes, please see RFC 

--Paul Hoffman