On 2 Aug 2018, at 12:14, Paul Wouters wrote:
On Tue, 31 Jul 2018, Matt Larson wrote:
For all those reasons, I think a checksum in the zone file itself
that can be verified with DNSSEC is the best option for this use
case, and I like the ZONEMD solution.
Note that the checksum in this case must be at least as
cryptographically strong as the signature algorithm used
in the individual RRSIGs/DNSKEYs.
Not true.
If the resolver is validating, the ZONEMD only adds assurance that the
non-signed records are there. Thus, the hash algorithm for the zone is
unrelated to the hash algorithms in the signatures.
If the resolver is not validating, the ZONEMD assures that all the
records are there. The strength of that assurance is the same as the
second pre-image strength of the hash. However, the resolver cannot say
"oh, look, now I can start resolving with what I got in the zone
transfer": it still needs to validate every RRSIG all the way to the
root.
This would have to be
enforced by software/RFC to prevent a downgrade attack.
Given the above, what downgrade attack are you thinking of?
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
