IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

John Levine <johnl@taugh.com> Tue, 27 February 2024 22:09 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7309C151095 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 14:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.858
X-Spam-Level:
X-Spam-Status: No, score=-6.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="EfmlLAPN"; dkim=pass (2048-bit key) header.d=taugh.com header.b="qk6A9CYf"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwFT0NtcmPtL for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 14:09:09 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9B55C14F6A3 for <dnsop@ietf.org>; Tue, 27 Feb 2024 14:09:08 -0800 (PST)
Received: (qmail 65173 invoked from network); 27 Feb 2024 22:09:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=fe9365de5d82.k2402; bh=dGg6dkBWr0avlSmPOB8IcntFz9bW+t8TyDraRTrNsso=; b=EfmlLAPNcC9xZFbmWHGop+iooDtqShJbIquIvvQ2P4BIh2mcKAMCaB/j9K+HU3r4o7AG2art+gbfEJkDWKvmvADdh6PANETY6Id6/lmOny4MR/X5TUx8gZO2NNABfQwxmX7Cq3hY8idAVf9J6bi+VNH8yccDEv3zdyBC7QG1LO4ptwuR+uk2SMwCjm5EbiszUiZMt4/SJmuqVcc/AzAfw/Oot8yU2YVE1w/6L7SkckEOllw49wU5fCrYL1S6c5efvb9NggTpJMcLmRS4uFRulNqf8pkyFngsz9rEkXVffhSgqqGwMaLIJo+INrqoj8/jz2m1wiDWEGqk33pUSXfFLA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=fe9365de5d82.k2402; bh=dGg6dkBWr0avlSmPOB8IcntFz9bW+t8TyDraRTrNsso=; b=qk6A9CYfw2lFJJhrLQnHEAM+72OKpkd49QfioZYYkttbJ6I4qK4ydwDBwYB25yH0cPfvzK2vg//kKIG6uIRtFBGpfBkVaY9RBnbkGkbpo16a+mjiBY/oSJmSC1tVjUuPmNTUOMR7FnlvFAF2QAflW+LTbJiKXmK7TPF9LtGtmeR0UQBSYHHvFL+/7uz/VRtFvVvFElnVeJ2I5oOxGdo6TD+UZEJBh3Bc2DXHvf8301wXq3uo8hgY0bzd2kYTg9SY3Ejzy0alUvEtbzvX1uiyqrBr2SHYxkjYL4rHlV1n+cXQO4VWSvKq2q4cFdiHNeP2jQ0B2JPWcT63XLWo6CZiXg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 27 Feb 2024 22:09:06 -0000
Received: by ary.qy (Postfix, from userid 501) id E06018410007; Tue, 27 Feb 2024 17:09:05 -0500 (EST)
Date: Tue, 27 Feb 2024 17:09:05 -0500
Message-Id: <20240227220905.E06018410007@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <9C4B65D7-EC9D-40BC-9B23-825F7FE8FB7E@isc.org>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jwc2Qmp7PMQapbYZ-cgE7wHvKI8>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 22:09:14 -0000

It appears that Mark Andrews  <marka@isc.org> said:
>The current “fixes” still leave validators more vulnerable to cpu exhaustion attacks than eliminating colliding key tags in the signer does. This is a protocol bug that leads to
>cpu exhaustion.  We, the IETF, have a duty to fix this at the protocol level. 

I'm having trouble understanding how this is fundamentally different
from CNAME loops, or NS sets with silly numbers of NS or A records.

The kind of load is different but in each case the client needs to
limit the amount of work it's willing to do. We can forbid it in the
protocol but unless you have better contacts at the Protocol Police
than I do, people will do it anyway.

R's,
John

PS: Try looking up 1.2.3.4.contacts.abuse.net.

v2.23.0 | Report a Bug | By Email