IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Edward Lewis <edward.lewis@icann.org> Thu, 29 February 2024 12:52 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 821DBC14F6AF for <dnsop@ietfa.amsl.com>; Thu, 29 Feb 2024 04:52:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VutMEfT6FnaE for <dnsop@ietfa.amsl.com>; Thu, 29 Feb 2024 04:52:33 -0800 (PST)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9053C14F69F for <dnsop@ietf.org>; Thu, 29 Feb 2024 04:52:33 -0800 (PST)
Received: from MBX112-E2-VA-1.pexch112.icann.org (out.mail.icann.org [64.78.48.205]) by ppa2.lax.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 41TCqVlj026476 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 29 Feb 2024 12:52:31 GMT
Received: from MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) by MBX112-E2-VA-2.pexch112.icann.org (10.217.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Thu, 29 Feb 2024 07:52:29 -0500
Received: from MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) by MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) with mapi id 15.02.1258.028; Thu, 29 Feb 2024 07:52:29 -0500
From: Edward Lewis <edward.lewis@icann.org>
To: Shumon Huque <shuque@gmail.com>
CC: John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] About key tags
Thread-Index: AQHaXynPA8WwwMruZU6Z5RM+17D0wbEJySsAgACGD4CAAStKgIAASjQAgAA/RYCAAAE9gIAAAsCAgADi3oCAAGiXgIAAGREAgAAQ2wCAEXRUAIAAJ+KAgAAPFICAASsOAIAAWiQAgACwI4A=
Date: Thu, 29 Feb 2024 12:52:29 +0000
Message-ID: <4F386814-7ED3-47D3-81C1-1E575FD3C686@icann.org>
References: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org> <20240227220905.E06018410007@ary.qy> <641C2E38-F1A8-435B-BA6F-770FEE9AEEA5@icann.org> <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
In-Reply-To: <CAHPuVdWGQL5bRRqPj=-g_02y-7sZG-1WyiTCqktbdba=PuzEvg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
x-originating-ip: [192.0.47.234]
x-source-routing-agent: True
Content-Type: multipart/alternative; boundary="_000_4F3868147ED347D381C11E575FD3C686icannorg_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-29_02,2024-02-29_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gKqyyTmVaOAUO4ZZgdz6bJpQd-g>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 12:52:34 -0000

From: DNSOP <dnsop-bounces@ietf.org> on behalf of Shumon Huque <shuque@gmail.com>
Date: Wednesday, February 28, 2024 at 16:22
To: Edward Lewis <edward.lewis@icann.org>
Cc: John Levine <johnl@taugh.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [Ext] About key tags

>… I think writing a BCP telling folks how to avoid collisions would make sense though (and yes, it needs to cover the multi-signer case too).

I support that.  Key tag collisions make one of my pet projects (visualizing key management over time) cry.  And collisions are a multiplier in a malicious use case.  Discouraging them is a good thing.

The point I’m belaboring is how the issue of resource over consumption is addressed matters.  We can’t ban the problem out of existence, even if it were simple to restrict it from ever happening, we need to enforce this where the resources at risk are managed.

If this means a validator experiences some false positives, I could live with that.  There are very few good reasons to have a complex DNS set up and such situations are supported and tolerated in the protocol that doesn’t mean they are good ideas or have simpler alternatives.  Discouraging wacky configurations isn’t a terrible thing to do, especially since we can have (or imagine) highly complex signing scenarios which could, if the planets align correctly, permit a key tag collision no matter to what length we go to prevent a collision from seeing the light of day.

Keeping in mind - this entire topic is covering the non-usual state of the protocol, one that fears a malicious activity I believe has not been encountered in the wild.  (If no action is taken, malicious activity might follow now that it is described, but I have not heard of a historical case of it.)  We are dealing with the odd, we need to mitigate its impact, eliminating it might just be -relatively speaking - too much work.

v2.23.0 | Report a Bug | By Email