IETF Logo Mail Archive

Re: [DNSOP] ECDSA woes

Ray Bellis <ray@bellis.me.uk> Sat, 15 October 2016 14:30 UTC

Return-Path: <ray@bellis.me.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 147441294B4 for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 07:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3B5KyF5fSBFy for <dnsop@ietfa.amsl.com>; Sat, 15 Oct 2016 07:30:47 -0700 (PDT)
Received: from hydrogen.portfast.net (hydrogen.portfast.net [188.246.200.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11831129457 for <dnsop@ietf.org>; Sat, 15 Oct 2016 07:30:46 -0700 (PDT)
Received: from [199.187.217.186] (port=50827 helo=static-217-186.meetings.nanog.org) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1bvPz0-0000M6-Lz (Exim 4.72) for dnsop@ietf.org (return-path <ray@bellis.me.uk>); Sat, 15 Oct 2016 15:30:42 +0100
To: dnsop@ietf.org
References: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <c1e14584-a444-37ef-1e4c-d1077ba4f384@bellis.me.uk>
Date: Sat, 15 Oct 2016 09:30:43 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.02.1610150806380.26951@uplift.swm.pp.se>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gjW-k4wDBJ6H4L0DUh81nawaC9U>
Subject: Re: [DNSOP] ECDSA woes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Oct 2016 14:30:49 -0000


On 15/10/2016 01:22, Mikael Abrahamsson wrote:

> So... my question to you fine people is:
> 
> Is there any (existing and freely available) testing suite I can run
> against my chosen resolver that tests all the SHOULDs and MUSTs
> regarding DNSSEC validation, including future proofing for new algorithms?
> 
> If not, I would like to call upon for instance ccTLD registrys, ISOC and
> others, to develop a test suite for this, maintain it over time, and
> make it freely available.
> 
> I like DNSSEC and want to see it widely deployed. It's an important part
> of Internet plumbing. These kinds of problems that I've had last weeks
> mean people who oppose it with FUD actually have concrete breakage to
> point at that means it's not "Uncertain" anymore.

It's not exactly what you've asked for, but I have an iOS app under
development that can test your phone's configured resolvers for various
DNS protocol conformance issues.

At the moment the extent of the DNSSEC specific tests is to check that a
query for the root zone's SOA with the +CD flag returns the expected RRSIGs.

I hadn't considered algorithm-specific tests, but the app could in
theory include tests for whether zones known to be signed with specific
algorithms can be correctly resolved with +AD returned.

Ray

v2.23.0 | Report a Bug | By Email