Re: [DNSOP] Time to update RSAMD5 and perhaps DSA (algs 1 and 3) to MUST NOT?
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 05 December 2018 23:55 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DCAE130E7C for <dnsop@ietfa.amsl.com>; Wed, 5 Dec 2018 15:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.837
X-Spam-Level:
X-Spam-Status: No, score=-1.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5F6GPNLriJqC for <dnsop@ietfa.amsl.com>; Wed, 5 Dec 2018 15:54:57 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B72E12E043 for <dnsop@ietf.org>; Wed, 5 Dec 2018 15:54:57 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 726DCA52CC; Wed, 5 Dec 2018 18:54:55 -0500 (EST)
Date: Wed, 05 Dec 2018 18:54:55 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <20181205235455.GY79754@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <20181201195126.GK4122@straasha.imrryr.org> <A30290FE-DED7-46BD-B07B-7E795F6B3334@isc.org> <20181205221417.GW79754@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20181205221417.GW79754@straasha.imrryr.org>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y1FqD4Fea5xsgzzmbCFVNUPP7FA>
Subject: Re: [DNSOP] Time to update RSAMD5 and perhaps DSA (algs 1 and 3) to MUST NOT?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 23:55:04 -0000
On Wed, Dec 05, 2018 at 05:14:17PM -0500, Viktor Dukhovni wrote: > I don't think this counts as a "production" RSAMD5 deployment. Speaking of "production", some of the DS RRs, don't look like they were ever intended to work. The odds against a hex-encoded digest containing only digits are ~146,000,000 : 1 for SHA1 and are ~11.6*10^12 : 1 for SHA2-256. And yet looking at the DS RRs with algorithm 1 I find a large proportion of highly implausible values consisting of just decimal digits: abwg12616-459.com. IN DS 3 1 1 0000000500000000000000000000100000000000 abwg12616-459.com. IN DS 5 1 1 0000880000000000000000000000100000000000 abwg12616-459.com. IN DS 6 1 1 0005550000000000000000000000100000000001 carelifesoftware.com. IN DS 1 1 1 0123456789012345678901234567890123456789 virtualtechnologycenter.com. IN DS 1 1 1 0987654321012345678954321678900987654321 adgraphs.com. IN DS 1000 1 1 1111111111111111111111111111111111111111 digitransservices.com. IN DS 12345 1 1 1111111111111111111111111111111111111111 floresti-online.net. IN DS 6733 1 1 1111111111111111111111111111111111111111 redomain20160307.info. IN DS 2 1 1 1111111111111111111111111111111111111111 rtgdsasdgfasdf.info. IN DS 1 1 1 1111111111111111111111111111111111111111 techdeft.com. IN DS 3494 1 1 1111111111111111111111111111111111111111 muakyuc.com. IN DS 111 1 2 1111111111111111111111111111111111111111111111111111111111111111 zealwebtech.com. IN DS 65535 1 2 1111111111111111111111111111111111111111111111111111111111111234 googleupdatetask.com. IN DS 1233 1 1 1111111111222222222233333333334444444444 zenericpharma.com. IN DS 9876 1 1 1111111111222222223333333444444555556666 antoinecommunications.com. IN DS 142 1 1 1111222233334444555566667777888899990000 achteam.net. IN DS 12344 1 1 1123494393929493293239234291239423942394 nobonesaboutitrealty.com. IN DS 1185 1 1 1185118511851185118511851185118511851185 cossioinsurance.net. IN DS 12021 1 1 1202112021120211202112021120211202112021 visionaryrhino.com. IN DS 12345 1 1 1234567812345678123456781234567812345678 226pitsaktest.bid. IN DS 123 1 1 1234567890123456789012345678901234567890 3-2-2012gdqatesting.com. IN DS 23213 1 1 1234567890123456789012345678901234567890 cuhksis.com. IN DS 1996 1 1 1234567890123456789012345678901234567890 diaryofthenarcissist.com. IN DS 2341 1 1 1234567890123456789012345678901234567890 dooskers.com. IN DS 1212 1 1 1234567890123456789012345678901234567890 eticaretif.com. IN DS 1453 1 1 1234567890123456789012345678901234567890 netartdr.com. IN DS 1 1 1 1234567890123456789012345678901234567890 pratechsol.com. IN DS 65420 1 1 1234567890123456789012345678901234567890 precreto.com. IN DS 1 1 1 1234567890123456789012345678901234567890 rastey.com. IN DS 1962 1 1 1234567890123456789012345678901234567890 reliefsys.com. IN DS 2675 1 1 1234567890123456789012345678901234567890 rodrigocastilho.com. IN DS 1 1 1 1234567890123456789012345678901234567890 tokcan.com. IN DS 12345 1 1 1234567890123456789012345678901234567890 alfahero.com. IN DS 1980 1 1 1234567890123456789012345678901234567899 guidedtechnologies.net. IN DS 40223 1 1 1234567890987654321012345678909876543210 civictra.com. IN DS 16738 1 1 1234567891234567891234567891234567891234 radsw.com. IN DS 62660 1 1 1234567891234567891234567891234567891234 brdtest011112.com. IN DS 2 1 1 1234567899876543211234567898741236547892 resellerglobotec.com. IN DS 8110 1 1 1330133013301330133013301330133013301330 parnanetra.com. IN DS 16 1 1 1641970127196318519661641970127196318519 hotfix241117-live.info. IN DS 111 1 1 2222211111111111111111111111111111122222 domcontact.bid. IN DS 1 1 1 2323343444444777444444444444444444444445 280520143.com. IN DS 123 1 1 2343546788999999999999999999999999999999 226pitsaktest.bid. IN DS 234 1 2 2345678901234567890123456789012345678901234567890123456788901223 226pitsaktest.bid. IN DS 2345 1 2 2345678901234567890123456789012345678901234567890123456788901223 smma.info. IN DS 2222 1 1 2364358523698745214569874563214569874562 20160418uaqatest.com. IN DS 12423 1 1 3433333333333333333333333333333333455555 catholicdevotees.com. IN DS 22021 1 1 5869745236789564123656897485236589785412 careerfunction.com. IN DS 63267 1 1 6326739963267399632673996326739963267399 laaraa.com. IN DS 45632 1 1 6565788980009087546456558814434135697645 fatblack-sekai.info. IN DS 46239 1 1 8659796995795649986986869895955499595595 niceandsharealstate.net. IN DS 65535 1 1 8888888888888888888888888888888888888888 r2webtech.com. IN DS 1 1 1 9237923792379237923792379237923792379237 gwaliortimes.in. IN DS 65535 1 1 9425738101942573810194257381019425738101 poggyaservices.in. IN DS 6887 1 1 9665649035966564903596656490359665649035 dvdschool.in. IN DS 45678 1 1 9878765413594321222346789009797543214567 There also some clearly made up values that are not all digits: 0jl.com. IN DS 100 1 1 0123456789abcdef0123456789abcdef01234567 noblezahotel.com. IN DS 1424 1 1 1111111111aaaaaaaaaa2222222222bbbbbbbbbb cardiagen.com. IN DS 2525 1 1 79843759877573822131098790129872653abcde interpro-books.biz. IN DS 123 1 1 a123456789012345678911234567892123456789 No idea why people would just "make up" (non-)random DS records for their domains, but for some reason some do. These made-up DS RRs are present for 56 out of the 139 domains with RSAMD5 DS RRs, but only rootcanary.net actually has RSAMD5 keys. Basically, the RSAMD5 DS RRs are toxic waste that often never worked, or if they ever did, no longer match reality, rootcanary.net aside. -- Viktor.
- [DNSOP] Time to update RSAMD5 and perhaps DSA (al… Viktor Dukhovni
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Paul Wouters
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Ondřej Surý
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Viktor Dukhovni
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Viktor Dukhovni
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Hugo Salgado-Hernández
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Viktor Dukhovni
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Mark Andrews
- Re: [DNSOP] Time to update RSAMD5 and perhaps DSA… Patrick Mevzek