Re: [DNSOP] [Ext] About key tags

Thu, 15 Feb 2024 01:37:13 -0800 

On 14. 02. 24 16:45, Shumon Huque wrote:
On Wed, Feb 14, 2024 at 7:46 AM Edward Lewis <edward.le...@icann.org <mailto:edward.le...@icann.org>> wrote: 

    On 2/14/24, 04:40, "DNSOP on behalf of Petr Špaček"
    <dnsop-boun...@ietf.org <mailto:dnsop-boun...@ietf.org> on behalf of
    pspa...@isc.org <mailto:pspa...@isc.org>> wrote:

     >    In my mind this is good enough reason to outlaw keytag
    collisions -
     >    without them it would be _much_ easier to implement reasonable
    limits
     >    without risk of breaking legitimate clients.

    That would make key tags meaningful. ;--)

    The question is how, in a multi-signer friendly way.



Yes, enforcing non-colliding keytags in a multi-signer configuration is 
more challenging, since coordination across multiple independent parties 
may be needed. But a process could be developed to deal with that.



But I'm not sure how worried I am about it, as a practical matter. Even 
if by some remarkable coincidence all keys collided in a 2 party KSK+ZSK 
multi-signer configuration, Unbound with its 4-keytag limit would still 
be able to deal with it.( I guess some additional room for pre-published 
rollover keys may be needed if they also collided).


What colliding keytag limits are other resolver implementers placing?



Right now BIND tolerates 1 validation failure before hard-failing. This 
counter is not limited to colliding key tags.


In generic terms, the amount of work scales like:
#DNSKEYs * #RRSIGs
(for matching key tags)


Ed's example in the other thread with 1 DNSKEY and 10 bad RRSIGs is 
certainly a problem - thus the limit on number of validation failures.



The high-level trouble is that (currently legally) colliding keys make 
it hard to find a nice threshold which does not break legal setups and 
at the same time prevents resolvers from doing excessive work.



Of course even with perfectly valid RRSIGs and just one key the amount 
of work can be large - CNAME chains etc. etc. For that reason we 
currently also limit number of validations to 16 per fetch.



And that leaves us more or less with basic random subdomain attack, so 
we are back where we started :-)




If you think colliding keys should be allowed, please propose your own 
limits for sensible behavior. I will take popcorn and watch.


--
Petr Špaček
Internet Systems Consortium

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop





























					Reply via email to