IETF Logo Mail Archive

[DNSOP] Re: New draft on collision free key tags in DNSSEC

Peter Thomassen <peter@desec.io> Tue, 13 August 2024 11:55 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ABE0C14F602; Tue, 13 Aug 2024 04:55:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yplI49DZg0eo; Tue, 13 Aug 2024 04:55:29 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC643C15108A; Tue, 13 Aug 2024 04:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=q7sKxQz+s5bdHQ82GekdhMxt8Z0LD2YPmMxheQ8/V4M=; b=kdygIQezS1CnydIPxpaOMNWXyj RCMBNGY5ej/MZMM9JHrOPPDamCLiT1U64bjrYnrmi7xc8N9crS8jRa4N6/BACY9QIHJCe2DCpEmIU 2IwZkoFZNZ+UJWGSdfBgMCYZFIOrd7cxnMFHYqIW4fV2EfWVIztf1c1NRy0diZ6hKilmCxK5nh1yc JoiDRoD+6kY+JrF97W97UFoS5Ipr2imO/bltsir0wLCkfKPL/H3S0a3g0FuMRR65HQEHMVgDtG/Yr grHGwnBqMGBwj1iAqnZUBCVFYJoW5Qsj1CrPWpjEObrnTffFPc7R5oH2rvvzYCvONeaHLIxY3kmyc 1ULoPbYQ==;
Received: from [90.187.67.221] (helo=[192.168.55.171]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1sdq7Z-00C21q-M0; Tue, 13 Aug 2024 13:55:25 +0200
Message-ID: <65111720-da35-40a0-bead-67482aa6195a@desec.io>
Date: Tue, 13 Aug 2024 13:55:25 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "libor.peltan" <libor.peltan=40nic.cz@dmarc.ietf.org>, Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <CAHPuVdUveYraaGtrGveKTiLgP1L19G6g6=bsKsHjsPsP5fkiXg@mail.gmail.com> <774ab370-5d66-4c0d-b0a4-6d9e9cec2549@nic.cz>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <774ab370-5d66-4c0d-b0a4-6d9e9cec2549@nic.cz>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: SDIGYOCU4WPWRZWWUJ2TUMF7JEONKDPB
X-Message-ID-Hash: SDIGYOCU4WPWRZWWUJ2TUMF7JEONKDPB
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: New draft on collision free key tags in DNSSEC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kGDhnFE5c5OmKF41KT36aPLcodE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi,

On 7/30/24 09:41, libor.peltan wrote:
> 1) I'd very much like to see more exact guidance of how the auth server / signer should prevent keytag collisions. For example, what our Knot DNS does is: (a) on a signle signer, when newly generated key causes collision, discard it and generate another; (b) in multi-signer (or offline-KSK) operation, fragment the keytag space between key generators (e.g. first signer discards any generated key with even keytags, the other one with odd ones). What I'm missing is a reasearch confirming (or rejecting) that this both is always possible -- i.e. that with existing (and future?) algorithms, it can't happen that the key tags would be always following a pattern (like being even all the time), putting the key generator in a hopeless loop.

I would say that general guidance / research is impossible, as the answer depends on the internal structure of the DNSKEY RDATA for algorithms that might be defined in the future, and that stuff is unknown.

It's seems conceivable that some future (or private/experimental) algorithm's DNSKEY RDATA might have correlated least significant bits in its odd octets (which would translate into a bias towards even/odd key tags).

Given that the key tag algorithm clearly is very biased and potentially exploits DNSKEY RDATA structure [1], it may be worth replacing it with another calculation rule (for new algorithms only).

Slides 20-22 of [1] mention CRC16 as one candidate; perhaps an even less biased hash function would be better. While collision probability would not be significantly reduced (due to the birthday paradox), it at least would allow strategies like Libor's partitioning the key tag space by operator.

Best,
Peter

[1]: Slides 10, 11 https://ripe78.ripe.net/presentations/5-20190520-RIPE-78-DNS-wg-Keytags.pdf

-- 
https://desec.io/

v2.35.0 | Report a Bug | By Email | System Status