Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt

Tom Pusateri <pusateri@bangj.com> Sun, 26 August 2018 23:31 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4ED130DD5 for <dnsop@ietfa.amsl.com>; Sun, 26 Aug 2018 16:31:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHhWzHzrZvyN for <dnsop@ietfa.amsl.com>; Sun, 26 Aug 2018 16:31:23 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275091277C8 for <dnsop@ietf.org>; Sun, 26 Aug 2018 16:31:23 -0700 (PDT)
Received: from [172.16.10.128] (unknown [107.13.224.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 471D727AA; Sun, 26 Aug 2018 19:26:59 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Tom Pusateri <pusateri@bangj.com>
X-Mailer: iPhone Mail (16A5364a)
In-Reply-To: <5B8332C7.2050209@redbarn.org>
Date: Sun, 26 Aug 2018 19:31:20 -0400
Cc: dnsop@ietf.org, Ted Lemon <mellon@fugue.com>, Paul Vixie <vixie@fsi.io>
Content-Transfer-Encoding: quoted-printable
Message-Id: <42271E41-2B8F-42B5-9587-2FEFABEFBFFF@bangj.com>
References: <153507165910.12116.7113196606839876181.idtracker@ietfa.amsl.com> <CAPt1N1=o3KRa_X2KTuW1=KagOv1R0KM=QvT0QBf5YrOSWTr9mw@mail.gmail.com> <461B2749-E2A4-42B8-9FB3-824D96039423@bangj.com> <2581322.trI6Ix2n6k@linux-9daj> <AA14BDA5-2173-4CED-97E7-3F550ADCB51C@bangj.com> <5B832FBD.9070505@redbarn.org> <90C3CC19-0A39-4D53-A17B-9DBA79F05C2C@bangj.com> <5B8332C7.2050209@redbarn.org>
To: Paul Vixie <paul@redbarn.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yY8IfEPN2AN6IkPg1k733thWzIw>
Subject: Re: [DNSOP] New Version Notification for draft-pusateri-dnsop-update-timeout-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Aug 2018 23:31:25 -0000


> On Aug 26, 2018, at 7:07 PM, Paul Vixie <paul@redbarn.org>; wrote:
> 
> Tom Pusateri wrote:
>> 
>> There’s no attack vector here. And a collision would have to be
>> another valid RR already in the database with the same owner name and
>> class. This is literally impossible. Probably not even with md5!
> 
> as i wrote when the discussion of catalog zone hashing got to this point, "if collisions are impossible even with md5, then please use md5, and include a security considerations paragraph or two as to how this is not a problem. for that matter, if md4 or md3 will work, use those. unnec'y hash complexity is a form of security theater."
> 
> -- 
> P Vixie

You may be ok with that but no one from the security area will be. That’s just a fact of the times. The code in OpenSSL is identical no matter which hash you pick except for the hash name so it’s no more complex to implement. 

My approach was to pick the best hash available with a small output length.

Thanks,
Tom