IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

"Wessels, Duane" <dwessels@verisign.com> Thu, 26 July 2018 16:40 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4EC131182 for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 09:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bINbzvdD6lP for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 09:40:34 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D352130E0E for <dnsop@ietf.org>; Thu, 26 Jul 2018 09:40:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=11292; q=dns/txt; s=VRSN; t=1532623233; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=SsB0iKbkiVMGDS0Eo4y/j/XMR0BJz1seiAW3PYdZhtw=; b=ZhMgw0N599OvoSydQVA2E/vjs7hUAlo7NHHRSkyqflug2Y9EDQhvj/72 yOJcs5CI/JMB1moBSDIt2z9O+fdUzEdyiG8iUJIO+zCP1Xh/l/Z1hYipA LdX5FY1mmp3g65JZSsFH4jk9YE4gOK6lSUfaBorMQ0R1yxdxKnUZRT0ai 2pnIk33Mp1PdMhL0aDYce2svy0R6XnuP8IhvkQcTlnQQp3GGRjl2q772L j8q63MBzmlIck53SOwAGdX0RKj+rVSaM7RgO/2+6n16VMUiQpROlnn/hc Dr5bdzR+S1K/ngJnUAl0I6nykL9z+H4v4VaFP/995TYvQEfOvQCWGl4hx g==;
X-IronPort-AV: E=Sophos; i="5.51,405,1526356800"; d="p7s'?scan'208"; a="5311541"
IronPort-PHdr: 9a23:3LLudB+VOwZBFP9uRHKM819IXTAuvvDOBiVQ1KB+0+kQIJqq85mqBkHD//Il1AaPAd2Fraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HSbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfVzBPDI2/YYsADesBMvpXoITmqFsCsR6+CBOwCO/zyDJFgGL9060g0+QmFAHLxAIsENIQv3TPt9X6KqMSUfutwKLVwzvDculZ2THj54TGbxsspuyDXLxufsrK0kkgCQfFjk6LpIz7ITyVzOUNs3Oa7+pvU+KjkXIoqwZ0ojW2wMonl4fHhoUQyl/e9CV5xp44JdymR05nb96oCpxQtzuVN4ZwX8gsQHlotT4nxrEao5K3YSoHxZo9yxLCa/GKfZKE7x3nWeqJPDt0mGhpdK+9ihqu60Ss1+LxW8qu3FpXrSdJitfMuW4O2hDP78WKT+Fy80Sl1DmU0g3e5P9ILl01mKfeMJEsxr89m5gWvEnNECL7mlj5gamLfUs+4Oeo8f7oYrD+q5+ZMI97lx/xP7w1msy6HeQ4Kg8OX3WH+eik1L3s40n5QLJSg/ArjqfXqI3WKsQDqKC2AgBZzpgv5wyhDzi619QYh2EHIEhfdx2alYTpJUvOIOv+Dfuln1uslzJry+jHPr3nHJrNMmDOnKr9cbpn9kJRygQ+wcpC659UBLwNOv3+V0vpuNzdFBA5Mgi0w+j9CNV604MTQX+AA6GHP6PJql+H+OYvI/KXaY8Lpjn9Mfkl5+XvjX82n18RZ7Wm3ZwSaHygBPRpP12ZYWbwgtcGCWoKuQw+Q/HwiFKcUz5efHeyX7kg6T0hD4KmF4jDTJi3gLOdxCe7AoFWZmdeB1CJH3bnaYSEW/EXZy2MOM9hnSQJWLe9R48/yx6urg76y6FmLurb/C0Ur47s1N9w5+DIiB4y8CZ7D96B3G2XTmF7gH8IRzEs0KB4u0x9xU+J0bJkjPxACdxT+/RJXx8nOp7a1Ox6DMjyVxnAftiXVFamTM+qATYrTtI+kJcyZBNaHdm4gxKL5DewlvdBkLqHHpE22qPH1D72PckrmFjc06x0xWYrWdBCMXbizoJi/g7eTcadn1qUjL2ncb80wiPX9XyCwmzIt0ZdBl0jGZ7ZVGwSMxOF5e/y4VnPGvr3Uewq
X-IPAS-Result: A2GEAQDT+Flb/zGZrQpdGgEBAQEBAgEBAQEIAQEBAYQxgScKg3SWKSSVThSBXwcIAxgNCYQ+AoMaNhYBAgEBAQEBAQIBAQKBBQyCNSQBDi8cPQEBAQEBAScBAQEBAQEjAkQsAQEBAQIBAQEhSwkCBQsCAQgYKgICAiULJQIEDgUOgxIBgXcXsT+BLoRehUUTD4Y+gluBQj6BEScME4JMgxsBAQIBARaBLlaCQzGCJAKHe4RnjRkDBgKDZIFZV4pmRYNViCKKTYc/AgQCBAUCFIFIBYF/cBUaISoBgj4JghsYEYhIhT5vAYxWK4EBgRsBAQ
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Thu, 26 Jul 2018 12:40:31 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Thu, 26 Jul 2018 12:40:31 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Ondřej Surý <ondrej@isc.org>
CC: "Weinberg, Matt" <mweinberg=40verisign.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
Thread-Index: AQHUJP9eA1A26oEiNUe9H7o4d5V8lQ==
Date: Thu, 26 Jul 2018 16:40:31 +0000
Message-ID: <056430ED-F87E-4170-B2D0-0EA3F57D9C60@verisign.com>
References: <4DCC5A51-1AB0-47B6-92B5-79B6894F9A9C@verisign.com> <6FFED142-0752-40FD-AF5C-7E9D6617DC03@isc.org>
In-Reply-To: <6FFED142-0752-40FD-AF5C-7E9D6617DC03@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_B52E0878-F479-4211-BF91-31EAA8A5F657"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kxgcAY9i1IKJtwSNOMuYpayC9d8>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 16:40:37 -0000

Ondrej,

Thanks, I think thats a fair point.  I was of course hoping to not create yet another IANA registry.

If the ZONEMD RR included a count of records as suggested by Paul Wouters would you then be comfortable
just using the DS hash algorithms?

DW


> On Jul 25, 2018, at 8:47 PM, Ondřej Surý <ondrej@isc.org> wrote:
> 
> Hi Matt, and other authors,
> 
> with my cryptoplumber[1] hat, I am strongly opposed to using SHA-1 and GOST R 34.11-94 for ZONEMD.
> 
> It is my understanding, that the specific usage of hashing function in the DS record improves the collision
> resistance of the algorithm, because the input data is so small and it has to be a valid DNSKEY record[2].
> 
> For ZONEMD, this isn’t true, as you can (in theory) feed the zone with infinite amount of non-DNSSEC-signed
> data (GLUEs, delegations) thus making the collision attack feasible.
> 
> Thus I believe, the Section 2.1.2 must be changed to disallow usage of algorithms with weakened collision
> resistance (and algorithms deprecated by the Russians themselves :). It wouldn’t be enough just to discourage
> SHA-1 for creating the ZONEMD, but it needs to be forbidden to use it for validating such record.
> I think that new IANA table for ZONEMD must be established, because the security properties of the algorithm
> usage are different in DS and ZONEMD records.
> 
> Thanks,
> Ondrej
> 
> 1. I would be happy if any real cryptographer would chime in.
> 
> 2. It doesn’t have to be valid DNSKEY if you just want to cause ruckus, but if you are able to inject invalid DS
>    records, you might as well cause damage at other levels of the DNS tree.
> 
> --
> Ondřej Surý
> ondrej@isc.org
> 
>> On 23 May 2018, at 17:32, Weinberg, Matt <mweinberg=40verisign.com@dmarc.ietf.org> wrote:
>> 
>> Greetings dnsop,
>> 
>> We’ve posted a new version of draft-wessels-dns-zone-digest.  Of note, this -01 version includes the following changes:
>> 
>> 	• Warren Kumari and Wes Hardaker have been added as coauthors.
>> 	• Several points of clarification in wording and descriptions.
>> 	• Removed the requirement to sort by RR CLASS.
>> 	• Added a Change Log section.
>> 
>> Warren and Wes had started on a very similar but unpublished draft, which we should've remembered.  Thanks to them for agreeing to join this document as coauthors.
>> We plan to ask for time on the dnsop agenda in Montreal.  Your feedback is welcome and appreciated.    
>> 
>> Thanks.
>> 
>> ----
>> 
>>   A new version of I-D, draft-wessels-dns-zone-digest-01.txt
>>   has been successfully submitted by Matt Weinberg and posted to the
>>   IETF repository.
>> 
>>   Name:		draft-wessels-dns-zone-digest
>>   Revision:	01
>>   Title:		Message Digest for DNS Zones
>>   Document date:	2018-05-17
>>   Group:		Individual Submission
>>   Pages:		13
>>   URL:            https://www.ietf.org/internet-drafts/draft-wessels-dns-zone-digest-01.txt
>>   Status:         https://datatracker.ietf.org/doc/draft-wessels-dns-zone-digest/
>>   Htmlized:       https://tools.ietf.org/html/draft-wessels-dns-zone-digest-01
>>   Htmlized:       https://datatracker.ietf.org/doc/html/draft-wessels-dns-zone-digest
>>   Diff:           https://www.ietf.org/rfcdiff?url2=draft-wessels-dns-zone-digest-01
>> 
>>   Abstract:
>>      This document describes a protocol and DNS Resource Record used to
>>      provide a message digest over DNS zone data.  In particular, it
>>      describes how to compute, sign, represent, and use the message digest
>>      to verify the contents of a zone for accuracy and completeness.  The
>>      ZONEMD Resource Record type is introduced for conveying the message
>>      digest data.
>> 
>> 
>> 
>> 
>>   Please note that it may take a couple of minutes from the time of submission
>>   until the htmlized version and diff are available at tools.ietf.org.
>> 
>>   The IETF Secretariat
>> 
>> 
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email