IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

John Levine <johnl@taugh.com> Tue, 27 February 2024 20:24 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0458AC14F747 for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 12:24:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="rGyOO8kO"; dkim=pass (2048-bit key) header.d=taugh.com header.b="bKcKsckN"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aNsMDzATZmBB for <dnsop@ietfa.amsl.com>; Tue, 27 Feb 2024 12:24:11 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6584C14CE51 for <dnsop@ietf.org>; Tue, 27 Feb 2024 12:24:11 -0800 (PST)
Received: (qmail 44746 invoked from network); 27 Feb 2024 20:24:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=aec865de44ea.k2402; bh=bGRMcKPKLZhK1l0MfMpPGnqL9dDXOvRI7pTYh02Kw9o=; b=rGyOO8kOTqlxLECnmnQdCqOdJ7hmia0MPqFOjW7lEcKZrL1loW0RUWDER3tRxalNAGAn+4xvZ+Eyr2x2w1mz5B+r22p1JooT3ZAwoJknEnzx6WQAil2ce9qVCK3hGNLVefLJm21N+x2IRY6UtvJzeAydpvV0+RoerN1NXlUnFSaCAuqxVMYdMwzhEkRNf2xqFZU5tYMSpItmE0k5B7Fjx9WAJSs+FDE/ShilYid3Vl9vXWUtRjtds8sZdi16baf9sfT/siggh1CI3RAHz6jLPBl9E763xprKbEzOtLpYbbx1mfLuOjUVHJrLYsOPb8/OHURpxM0vS82stum7qv+XBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=aec865de44ea.k2402; bh=bGRMcKPKLZhK1l0MfMpPGnqL9dDXOvRI7pTYh02Kw9o=; b=bKcKsckNoqnhyRXGjo3ZUXsfzEfbeSBPpuzREIy4eWjrfg0FI1aI0IIQQoKm42URfkFiKazfcty/aVxkBxHOBIdqWCwK8jJuY0lP2ywJkWZL63c0s2vVbhNxsyR5mBYenonCKUZdLtoZ0LrvFJKrNsKCwuswuYVoP9lZSmrQ48X8cSUqcjmu6PFXa5qPz0Guhq3AULpJANjUX2FfD2iBQu5S/9RdRbdRSbMze4ErFNaqkj7razN4bSZA4jDOPvV/5/ukbMnBRww5C31RGE+70KU6SZ3gSXNHpoiu6NZXKUJHlzp+TvT6GN7U56vq8NZEpea6KrnPx1rIretqjyfXZA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 27 Feb 2024 20:24:09 -0000
Received: by ary.qy (Postfix, from userid 501) id 70647840DF26; Tue, 27 Feb 2024 15:24:09 -0500 (EST)
Date: Tue, 27 Feb 2024 15:24:09 -0500
Message-Id: <20240227202409.70647840DF26@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: peter@desec.io
In-Reply-To: <c5a885e7-0790-4061-8311-a03cb5ac9dee@desec.io>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tMjHqeRMJPQjFV7IuomC5CJAFJI>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 20:24:18 -0000

It appears that Peter Thomassen  <peter@desec.io> said:
>
>
>On 2/16/24 17:19, Jim Reid wrote:
>It rather seems like inviting instability, then telling the signer "well, you knew...! Or should have, at least."
>
>I don't see in what way that's better than what we have with the current fixes, which successfully address the problem and (AFAICS) don't need to be touched again.

While I should have been doing something else, I scanned all of the
gTLD zone files with more than a million names looking for keytag
collsions.  I also looked at .SE and .NU because the zone files
are available and .NU has a lot of signed delegations.  The total
number of domains was about 200 million although most of them are not
signed.

The total number of domains where I found duplicate tags was 105. Of
those, all but 20 were KSK and ZSK with the same tag which should be
harmless. The total number where there were more than two tags with
the same ID was ZERO.

So while I understand why BIND and Unbound did the stuff they did, in
practice if you return SERVFAIL when you see three keys with the same
ID, you will be fine and nobody will notice. Counting RRSIGs is harder
but given the low number of keys, I expect a similarly low limit on
signatures would be equally effective.

This really is a tempest in a teapot.

R's,
John

v2.23.0 | Report a Bug | By Email