Re: [DNSOP] Time to update RSAMD5 and perhaps DSA (algs 1 and 3) to MUST NOT?

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 05 December 2018 23:55 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DCAE130E7C for <dnsop@ietfa.amsl.com>; Wed, 5 Dec 2018 15:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.837
X-Spam-Level:
X-Spam-Status: No, score=-1.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5F6GPNLriJqC for <dnsop@ietfa.amsl.com>; Wed, 5 Dec 2018 15:54:57 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B72E12E043 for <dnsop@ietf.org>; Wed, 5 Dec 2018 15:54:57 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 726DCA52CC; Wed, 5 Dec 2018 18:54:55 -0500 (EST)
Date: Wed, 5 Dec 2018 18:54:55 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <20181205235455.GY79754@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <20181201195126.GK4122@straasha.imrryr.org> <A30290FE-DED7-46BD-B07B-7E795F6B3334@isc.org> <20181205221417.GW79754@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181205221417.GW79754@straasha.imrryr.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y1FqD4Fea5xsgzzmbCFVNUPP7FA>
Subject: Re: [DNSOP] Time to update RSAMD5 and perhaps DSA (algs 1 and 3) to MUST NOT?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 23:55:04 -0000

On Wed, Dec 05, 2018 at 05:14:17PM -0500, Viktor Dukhovni wrote:

> I don't think this counts as a "production" RSAMD5 deployment.

Speaking of "production", some of the DS RRs, don't look like they
were ever intended to work.  The odds against a hex-encoded digest
containing only digits are ~146,000,000 : 1 for SHA1 and are
~11.6*10^12 : 1 for SHA2-256.  And yet looking at the DS RRs with
algorithm 1 I find a large proportion of highly implausible values
consisting of just decimal digits:

    abwg12616-459.com. IN DS 3 1 1 0000000500000000000000000000100000000000
    abwg12616-459.com. IN DS 5 1 1 0000880000000000000000000000100000000000
    abwg12616-459.com. IN DS 6 1 1 0005550000000000000000000000100000000001
    carelifesoftware.com. IN DS 1 1 1 0123456789012345678901234567890123456789
    virtualtechnologycenter.com. IN DS 1 1 1 0987654321012345678954321678900987654321
    adgraphs.com. IN DS 1000 1 1 1111111111111111111111111111111111111111
    digitransservices.com. IN DS 12345 1 1 1111111111111111111111111111111111111111
    floresti-online.net. IN DS 6733 1 1 1111111111111111111111111111111111111111
    redomain20160307.info. IN DS 2 1 1 1111111111111111111111111111111111111111
    rtgdsasdgfasdf.info. IN DS 1 1 1 1111111111111111111111111111111111111111
    techdeft.com. IN DS 3494 1 1 1111111111111111111111111111111111111111
    muakyuc.com. IN DS 111 1 2 1111111111111111111111111111111111111111111111111111111111111111
    zealwebtech.com. IN DS 65535 1 2 1111111111111111111111111111111111111111111111111111111111111234
    googleupdatetask.com. IN DS 1233 1 1 1111111111222222222233333333334444444444
    zenericpharma.com. IN DS 9876 1 1 1111111111222222223333333444444555556666
    antoinecommunications.com. IN DS 142 1 1 1111222233334444555566667777888899990000
    achteam.net. IN DS 12344 1 1 1123494393929493293239234291239423942394
    nobonesaboutitrealty.com. IN DS 1185 1 1 1185118511851185118511851185118511851185
    cossioinsurance.net. IN DS 12021 1 1 1202112021120211202112021120211202112021
    visionaryrhino.com. IN DS 12345 1 1 1234567812345678123456781234567812345678
    226pitsaktest.bid. IN DS 123 1 1 1234567890123456789012345678901234567890
    3-2-2012gdqatesting.com. IN DS 23213 1 1 1234567890123456789012345678901234567890
    cuhksis.com. IN DS 1996 1 1 1234567890123456789012345678901234567890
    diaryofthenarcissist.com. IN DS 2341 1 1 1234567890123456789012345678901234567890
    dooskers.com. IN DS 1212 1 1 1234567890123456789012345678901234567890
    eticaretif.com. IN DS 1453 1 1 1234567890123456789012345678901234567890
    netartdr.com. IN DS 1 1 1 1234567890123456789012345678901234567890
    pratechsol.com. IN DS 65420 1 1 1234567890123456789012345678901234567890
    precreto.com. IN DS 1 1 1 1234567890123456789012345678901234567890
    rastey.com. IN DS 1962 1 1 1234567890123456789012345678901234567890
    reliefsys.com. IN DS 2675 1 1 1234567890123456789012345678901234567890
    rodrigocastilho.com. IN DS 1 1 1 1234567890123456789012345678901234567890
    tokcan.com. IN DS 12345 1 1 1234567890123456789012345678901234567890
    alfahero.com. IN DS 1980 1 1 1234567890123456789012345678901234567899
    guidedtechnologies.net. IN DS 40223 1 1 1234567890987654321012345678909876543210
    civictra.com. IN DS 16738 1 1 1234567891234567891234567891234567891234
    radsw.com. IN DS 62660 1 1 1234567891234567891234567891234567891234
    brdtest011112.com. IN DS 2 1 1 1234567899876543211234567898741236547892
    resellerglobotec.com. IN DS 8110 1 1 1330133013301330133013301330133013301330
    parnanetra.com. IN DS 16 1 1 1641970127196318519661641970127196318519
    hotfix241117-live.info. IN DS 111 1 1 2222211111111111111111111111111111122222
    domcontact.bid. IN DS 1 1 1 2323343444444777444444444444444444444445
    280520143.com. IN DS 123 1 1 2343546788999999999999999999999999999999
    226pitsaktest.bid. IN DS 234 1 2 2345678901234567890123456789012345678901234567890123456788901223
    226pitsaktest.bid. IN DS 2345 1 2 2345678901234567890123456789012345678901234567890123456788901223
    smma.info. IN DS 2222 1 1 2364358523698745214569874563214569874562
    20160418uaqatest.com. IN DS 12423 1 1 3433333333333333333333333333333333455555
    catholicdevotees.com. IN DS 22021 1 1 5869745236789564123656897485236589785412
    careerfunction.com. IN DS 63267 1 1 6326739963267399632673996326739963267399
    laaraa.com. IN DS 45632 1 1 6565788980009087546456558814434135697645
    fatblack-sekai.info. IN DS 46239 1 1 8659796995795649986986869895955499595595
    niceandsharealstate.net. IN DS 65535 1 1 8888888888888888888888888888888888888888
    r2webtech.com. IN DS 1 1 1 9237923792379237923792379237923792379237
    gwaliortimes.in. IN DS 65535 1 1 9425738101942573810194257381019425738101
    poggyaservices.in. IN DS 6887 1 1 9665649035966564903596656490359665649035
    dvdschool.in. IN DS 45678 1 1 9878765413594321222346789009797543214567

There also some clearly made up values that are not all digits:

    0jl.com. IN DS 100 1 1 0123456789abcdef0123456789abcdef01234567
    noblezahotel.com. IN DS 1424 1 1 1111111111aaaaaaaaaa2222222222bbbbbbbbbb
    cardiagen.com. IN DS 2525 1 1 79843759877573822131098790129872653abcde 
    interpro-books.biz. IN DS 123 1 1 a123456789012345678911234567892123456789

No idea why people would just "make up" (non-)random DS records for
their domains, but for some reason some do.  These made-up DS RRs
are present for 56 out of the 139 domains with RSAMD5 DS RRs, but
only rootcanary.net actually has RSAMD5 keys.

Basically, the RSAMD5 DS RRs are toxic waste that often never worked,
or if they ever did, no longer match reality, rootcanary.net aside.

-- 
	Viktor.