Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05

Paul Hoffman <> Fri, 08 January 2010 16:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6497B28C10E for <>; Fri, 8 Jan 2010 08:13:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.046
X-Spam-Status: No, score=-6.046 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HttUNxjGY3vD for <>; Fri, 8 Jan 2010 08:13:09 -0800 (PST)
Received: from (Balder-227.Proper.COM []) by (Postfix) with ESMTP id 01B413A677C for <>; Fri, 8 Jan 2010 08:13:07 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.2/8.14.2) with ESMTP id o08GCVAw020420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 8 Jan 2010 09:12:33 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p06240812c76d0821dd1b@[]>
In-Reply-To: <>
References: <p06240810c76be77be756@[]> <> <p06240818c76c1a38cbf8@[]> <>
Date: Fri, 8 Jan 2010 08:12:29 -0800
To: Andrew Sullivan <>, Stephen Kent <>
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Cc:,,, Ralph Droms <>
Subject: Re: [secdir] review of draft-ietf-dnsext-dnssec-gost-05
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jan 2010 16:13:15 -0000

To take it one step further: a signing algorithm that is easily broken opens up a new attack vector. Imagine that all DNSSEC "client" implementations (resolvers) need to support two algorithms, A and B. If A and B are of actual equal strength, an attacker has an equal problem. However, if B is found to have weaknesses that allows an attacker to forge signatures, that attacker then can create a bogus chain to a trust anchor using B in the entire path.

It is for this reason that DNSSEC does not, for example, require that resolvers MUST be able to validate RSA signatures with 256-bit keys. However, by saying that resolvers MUST be able to validate anything other than the widely-agreed-to algorithms, you are opening up such an attack.

GOST signatures use a hash algorithm that has a known academic attack. Thus, even if the GOST asymmetric encryption algorithm is as strong as RSA with the size of keys that people are using, the overall signing algorithm may be weaker. This is *not* an argument that Russia should not use GOST: they have made their own security decisions based on the same knowledge that we have (and possibly more). It is, however, an argument against making everyone else be able to verify GOST signatures as if they were equivalent to other mandatory-to-implement signature algorithms.