Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...

Paul Wouters <> Thu, 27 March 2014 20:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AFB541A033A for <>; Thu, 27 Mar 2014 13:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VffB3aZBdr0b for <>; Thu, 27 Mar 2014 13:33:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4ECBB1A01FD for <>; Thu, 27 Mar 2014 13:33:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 99965800AA; Thu, 27 Mar 2014 16:33:22 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1395952402; bh=2u7qRRpDlg0FpqP2fG+uelofnUxaHCkVTRTB0jy29EA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=dSfONOn3o0yqwsP3WUewaz2OaUWcVMzEBuntwRkfYCt26qiPhetm6DjP2exVYFrNT AdNmxQW9HdOObDTbpWONzc0bwpjivT5NQRLP5Z/oFM93BQVAFKGBNxzrnkzQwvS57w YMIp/xlNfhpv+FK0xk7ep7APUpqhlOYLhJ7ABNfE=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s2RKXMZO001149; Thu, 27 Mar 2014 16:33:22 -0400
X-Authentication-Warning: paul owned process doing -bs
Date: Thu, 27 Mar 2014 16:33:22 -0400 (EDT)
From: Paul Wouters <>
To: Nicholas Weaver <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: dnsop WG <>
Subject: Re: [DNSOP] Whiskey Tango Foxtrot on key lengths...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Mar 2014 20:33:26 -0000

On Thu, 27 Mar 2014, Nicholas Weaver wrote:

>> 1 month validity.
> I said "don't give me that key roll crap" for a reason.

A bad reason.

> For an attacker, the root ZSK is not 1 month validity, since an attacker who's in a position to take advantage of such a ZSK compromise is going to be faking all of DNS for the target, and can therefore just as easily also fake NTP, ensuring that the attacker's key is still valid for most victims.

Than you have lost forever because we have used a 1024 key in the past.
You can always NTP attack them to today's 1024 key, and no increase in
key size in the future will help you.

> So you'd need to update the resolvers to either ignore <2048b root ZSKs or add in clock-ratchets, where the resolver never allows the clock to roll back more than a certain extent, or deploy a crypto-interactive NTP, etc....

If you can ignore old root keys, than you have already defeated your NTP
attack, in which case your "key roll crap" arguments falls as well.