<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 06-Feb-14 09:14, Klaus Darilion
wrote:<br>
</div>
<blockquote cite="mid:%3C52F398C6.4000505@pernau.at%3E" type="cite">
<br>
<br>
On 06.02.2014 14:58, Cathy Almond wrote:
<br>
<blockquote type="cite">On 06/02/2014 12:58, Timothe Litt wrote:
<br>
<blockquote type="cite">On 06-Feb-14 05:56, Cathy Almond wrote:
<br>
<blockquote type="cite">On 05/02/2014 18:54, David Newman
wrote:
<br>
<blockquote type="cite">The Michael W. Lucas DNSSEC book
recommends changing NSEC3 salt every
<br>
time a zone's ZSK changes.
<br>
<br>
Is this just a matter of a new 'rndc signing' command, or
is some action
<br>
needed to remove the old salt?
<br>
<br>
thanks
<br>
<br>
dn
<br>
</blockquote>
rndc signing -nsec3param ...
<br>
<br>
I would expect the old NSEC3 chain and old NSEC3PARAM record
to be
<br>
removed, once the new chain is in place.
<br>
<br>
(Similarly, the new NSEC3PARAM record will not appear in the
zone until
<br>
the new NSEC3 chain has been completely generated).
<br>
<br>
Cathy
<br>
<br>
</blockquote>
This seems silly. Why should a person have to select a salt
at all?
<br>
It's just a random number, and people are really bad at
picking random
<br>
numbers. Seems like a miss in 'DNSSEC for humans' :-)
<br>
<br>
There should be a mechanism to tell named to pick a random
number and
<br>
use it for the salt. (I suggest '*' - '-' already means
'none'.) named
<br>
already has to know how to get random numbers, so this should
not be
<br>
difficult. It should work for records supplied in UPDATE
transactions
<br>
as well as rndc signing.
<br>
<br>
A bit more work to have it function when loaded from a zone
file, though
<br>
that doesn't seem unreasonable. (E.g. if read from a zone
file, pick a
<br>
salt, treat the record as if loaded with that value, and do
all the
<br>
requisite (re-)signing.)
<br>
<br>
I'm copying bind9-bugs so this doesn't get lost. Please don't
copy that
<br>
list if you comment on this. (Careful with that 'reply all'!)
<br>
<br>
Timothe Litt
<br>
ACM Distinguished Engineer
<br>
</blockquote>
<br>
Sounds like a good idea - thanks.
<br>
</blockquote>
<br>
Indeed. It would also solve the theoretical problem of NSEC3 hash
collisions (see my email from 3. Feb 2014)
<br>
<br>
regards
<br>
Klaus
<br>
<br>
<br>
</blockquote>
Not quite. It would enable a solution, but it doesn't solve it
unless named also checks for a collision, picking a new salt and
re-trying in that case. That would be a good idea (though creating
a test case would be a good student challenge). [If it isn't
tested, it doesn't work...]<br>
<br>
Note also the RFC 5155 recommendation:<br>
<blockquote type="cite"><span style="color: rgb(0, 0, 0);
font-family: Arial, 'Liberation Sans', 'DejaVu Sans',
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: 17.804800033569336px; orphans: auto; text-align:
left; text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(238, 238,
238); display: inline !important; float: none;">The salt SHOULD
be at least 64 bits long and unpredictable, so that</span><br
style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation
Sans', 'DejaVu Sans', sans-serif; font-size: 14px; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 17.804800033569336px;
orphans: auto; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(238, 238, 238);">
<span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation
Sans', 'DejaVu Sans', sans-serif; font-size: 14px; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 17.804800033569336px;
orphans: auto; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(238, 238, 238); display: inline
!important; float: none;">an attacker cannot anticipate the
value of the salt and compute the</span><br style="color: rgb(0,
0, 0); font-family: Arial, 'Liberation Sans', 'DejaVu Sans',
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal;
line-height: 17.804800033569336px; orphans: auto; text-align:
left; text-indent: 0px; text-transform: none; white-space:
normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(238, 238,
238);">
<span style="color: rgb(0, 0, 0); font-family: Arial, 'Liberation
Sans', 'DejaVu Sans', sans-serif; font-size: 14px; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 17.804800033569336px;
orphans: auto; text-align: left; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(238, 238, 238); display: inline
!important; float: none;">next set of dictionaries before the
zone is published.</span></blockquote>
In case it wasn't obvious, I should have noted that the length would
be a config file entry.<br>
<br>
<br>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
</pre>
<pre class="moz-signature" cols="72">This communication may not represent my employer's views,
if any, on the matters discussed. </pre>
</body>
</html>