Re: [DNSOP] [Ext] About key tags
Edward Lewis <edward.lewis@icann.org> Thu, 29 February 2024 12:52 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821DBC14F6AF for <dnsop@ietfa.amsl.com>; Thu, 29 Feb 2024 04:52:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VutMEfT6FnaE for <dnsop@ietfa.amsl.com>; Thu, 29 Feb 2024 04:52:33 -0800 (PST)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9053C14F69F for <dnsop@ietf.org>; Thu, 29 Feb 2024 04:52:33 -0800 (PST)
Received: from MBX112-E2-VA-1.pexch112.icann.org (out.mail.icann.org [64.78.48.205]) by ppa2.lax.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 41TCqVlj026476 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 29 Feb 2024 12:52:31 GMT
Received: from MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) by MBX112-E2-VA-2.pexch112.icann.org (10.217.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Thu, 29 Feb 2024 07:52:29 -0500
Received: from MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) by MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) with mapi id 15.02.1258.028; Thu, 29 Feb 2024 07:52:29 -0500
From: Edward Lewis <edward.lewis@icann.org>
To: Shumon Huque <shuque@gmail.com>
CC: John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] About key tags
Thread-Index: AQHaXynPA8WwwMruZU6Z5RM+17D0wbEJySsAgACGD4CAAStKgIAASjQAgAA/RYCAAAE9gIAAAsCAgADi3oCAAGiXgIAAGREAgAAQ2wCAEXRUAIAAJ+KAgAAPFICAASsOAIAAWiQAgACwI4A=
Date: Thu, 29 Feb 2024 12:52:29 +0000
Message-ID: <4F386814-7ED3-47D3-81C1-1E575FD3C686@icann.org>
References: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org> <20240227220905.E06018410007@ary.qy> <641C2E38-F1A8-435B-BA6F-770FEE9AEEA5@icann.org> <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
In-Reply-To: <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
x-originating-ip: [192.0.47.234]
x-source-routing-agent: True
Content-Type: multipart/alternative; boundary="_000_4F3868147ED347D381C11E575FD3C686icannorg_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-29_02,2024-02-29_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gKqyyTmVaOAUO4ZZgdz6bJpQd-g>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 12:52:34 -0000
From: DNSOP <dnsop-bounces@ietf.org> on behalf of Shumon Huque <shuque@gmail.com> Date: Wednesday, February 28, 2024 at 16:22 To: Edward Lewis <edward.lewis@icann.org> Cc: John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org> Subject: Re: [DNSOP] [Ext] About key tags >… I think writing a BCP telling folks how to avoid collisions would make sense though (and yes, it needs to cover the multi-signer case too). I support that. Key tag collisions make one of my pet projects (visualizing key management over time) cry. And collisions are a multiplier in a malicious use case. Discouraging them is a good thing. The point I’m belaboring is how the issue of resource over consumption is addressed matters. We can’t ban the problem out of existence, even if it were simple to restrict it from ever happening, we need to enforce this where the resources at risk are managed. If this means a validator experiences some false positives, I could live with that. There are very few good reasons to have a complex DNS set up and such situations are supported and tolerated in the protocol that doesn’t mean they are good ideas or have simpler alternatives. Discouraging wacky configurations isn’t a terrible thing to do, especially since we can have (or imagine) highly complex signing scenarios which could, if the planets align correctly, permit a key tag collision no matter to what length we go to prevent a collision from seeing the light of day. Keeping in mind - this entire topic is covering the non-usual state of the protocol, one that fears a malicious activity I believe has not been encountered in the wild. (If no action is taken, malicious activity might follow now that it is described, but I have not heard of a historical case of it.) We are dealing with the odd, we need to mitigate its impact, eliminating it might just be -relatively speaking - too much work.
- [DNSOP] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] About key tags Mark Andrews
- Re: [DNSOP] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Havard Eidnes
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Yorgos Thessalonikefs
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Donald Eastlake
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Wellington, Brian
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] Re: About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Petr Špaček
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Jim Reid
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags and sensible lim… John Levine
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags libor.peltan
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and their infreq… John R Levine
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags and collision nu… John R Levine
- Re: [DNSOP] [Ext] About key tags Paul Hoffman
- Re: [DNSOP] [Ext] About key tags and collision nu… Mark Andrews
- Re: [DNSOP] [Ext] About key tags Ralf Weber
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Ted Lemon
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags Lanlan Pan
- Re: [DNSOP] [Ext] About key tags Paul Wouters
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Arnold DECHAMPS
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Joe Abley
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Bob Harold
- Re: [DNSOP] [Ext] About key tags Mark Andrews
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Peter Thomassen
- Re: [DNSOP] [Ext] About key tags John R Levine
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags John Levine
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… Philip Homburg
- Re: [DNSOP] [Ext] Nothing more useful to say Abou… John Levine
- Re: [DNSOP] [Ext] About key tags Dave Lawrence
- Re: [DNSOP] [Ext] About key tags Shumon Huque
- Re: [DNSOP] [Ext] About key tags Philip Homburg
- Re: [DNSOP] [Ext] About key tags Edward Lewis
- Re: [DNSOP] [Ext] About key tags Petr Špaček