DNSSEC DSSET & KEYSET

Florian Weimer fweimer at bfk.de
Thu Jan 28 16:33:18 UTC 2010


* Chris Thompson:

>>Parent zone policies vary.  Some require DS RRs, some DNSKEY RRs.
>>Demanding DNSKEY RRs can prolong the life of signature schemes with
>>certain weaknesses (which might be helpful at some point in the
>>future).
>
> I take it you refer there to the digest type field in the DS record?

No, there are attacks on hash functions which cause a collision by
extending two non-colliding messages, that is, for given p_1, p_2,
find s_1 and s_2 such that h(p_1 s_1) = h(p_2 s_2).  If you demand
DNSKEYs, the attacker lacks direct control over the s_i because of the
additional hashing step, requiring a much stronger attack.  (In an
attack, p_1 and p_2 would contain different domain names, for the
victim name and another name which the attacker can register.  The
parent zone will sign p_1 s_1, and the attacker will use p_2 s_2, for
which the signature on p_1 s_1 is also valid because of the hash
collision.  AFAICT, this is just a minor variant of the well-published
attack on MD5 certificates.)

This is all theoretical because no such attacks are currently known
against SHA-1.

In retrospect, the fact that all major certification-like schemes
require something much stronger than second preimage resistance from
the underlying hash function seems like a blunder of WEP-like
proportions.  Fortunately, there are workarounds for DNSSEC and X.509
(you don't even need the DNSKEYs if you employ randomized hashing, and
there's enough wiggle room for that, as discussed on the namedroppers
list).

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the bind-users mailing list