Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 12 October 2020 04:15 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D77D3A0A35; Sun, 11 Oct 2020 21:15:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLdMk-oVILcA; Sun, 11 Oct 2020 21:14:59 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7AE73A0A3B; Sun, 11 Oct 2020 21:14:58 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 09C4Emng026533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Oct 2020 00:14:53 -0400
Date: Sun, 11 Oct 2020 21:14:48 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: Robert Wilton <rwilton@cisco.com>, "draft-ietf-dnsop-dns-zone-digest@ietf.org" <draft-ietf-dnsop-dns-zone-digest@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop@ietf.org" <dnsop@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, The IESG <iesg@ietf.org>
Message-ID: <20201012041448.GG83747@kduck.mit.edu>
References: <160215590178.19643.8185294724542473578@ietfa.amsl.com> <514C5EA8-2814-42AA-9787-455445BA828D@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <514C5EA8-2814-42AA-9787-455445BA828D@verisign.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iQ6MgqnSAXdCiqJsewSSRPRbu9U>
Subject: Re: [DNSOP] Robert Wilton's No Objection on draft-ietf-dnsop-dns-zone-digest-12: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 04:15:00 -0000

On Fri, Oct 09, 2020 at 06:36:28PM +0000, Wessels, Duane wrote:
> 
> 
> > On Oct 8, 2020, at 4:18 AM, Robert Wilton via Datatracker <noreply@ietf.org> wrote:
[...]
> >    2.  The ZONEMD Resource Record
> > 
> >       It is
> >       RECOMMENDED that a zone include only one ZONEMD RR, unless the zone
> >       publisher is in the process of transitioning to a new Scheme or Hash
> >       Algorithm.
> > 
> > I'm not quite sure how well this fits with sections 2.2.3 restriction that
> > SHA384 MUST be implemented, and SHA512 SHOULD be implemented.   As a recipient
> > of the zone info I understand that I would need to implement both, but as a
> > sender am I allowed to only send SHA512, or both, or must I always send SHA384?
> 
> As sender (publisher) you are allowed to publish whatever you want.
> 
> The purpose of the recommendation above is to hopefully avoid the situation
> where multiple records are published (with both types) on an ongoing basis.
> That is something we observe with DS records quite often.  For example,
> 750 TLDs today publish both SHA1 and SHA256 digest types as DS records in
> the root zone.  This new paragraph has been added to the security
> considerations:
> 
> 6.2.  Use of Multiple ZONEMD Hash Algorithms
> 
>    When a zone publishes multiple ZONEMD RRs, the overall security is
>    only as good as the weakest hash algorithm in use.  For this reason,
>    Section 2 recommends only publishing multiple ZONEMD RRs when
>    transitioning to a new scheme or hash algorithm.  Once the transition
>    is complete, the old scheme or hash algorithm should be removed from
>    the ZONEMD RRSet.

While I'm happy to see this statement made, I do want to note that the
actual properties here have some complex interplay, and "only as good as
the weakest hash algorithm in use" may only be strictly true in certain
scennarios.  (So, in the general case, it is a true statement, but there
may be certain cases in which it does not hold.)  In particular, since
DNSSEC signs the whole RRset, it does not seem like it is possible (without
some other attack) to modify things so that the ZONEMD with a different
hash algorithm is not visible while retaining the RRSIG.  And if you have
a signed zone with a weak hash for ZONEMD, producing a different zone that
collides the ZONEMD will probably not retain all the RRSIGS on the other
records (though could plausibly retain most of them).  So, it's
complicated, but I'm not sure that we really need to get into the specifics
in this document.  Personally, I'm fine keeping this text as-is, but I did
want to note the subtlety involved.

-Ben