* Chris Thompson: >>Parent zone policies vary. Some require DS RRs, some DNSKEY RRs. >>Demanding DNSKEY RRs can prolong the life of signature schemes with >>certain weaknesses (which might be helpful at some point in the >>future). > > I take it you refer there to the digest type field in the DS record?
No, there are attacks on hash functions which cause a collision by extending two non-colliding messages, that is, for given p_1, p_2, find s_1 and s_2 such that h(p_1 s_1) = h(p_2 s_2). If you demand DNSKEYs, the attacker lacks direct control over the s_i because of the additional hashing step, requiring a much stronger attack. (In an attack, p_1 and p_2 would contain different domain names, for the victim name and another name which the attacker can register. The parent zone will sign p_1 s_1, and the attacker will use p_2 s_2, for which the signature on p_1 s_1 is also valid because of the hash collision. AFAICT, this is just a minor variant of the well-published attack on MD5 certificates.) This is all theoretical because no such attacks are currently known against SHA-1. In retrospect, the fact that all major certification-like schemes require something much stronger than second preimage resistance from the underlying hash function seems like a blunder of WEP-like proportions. Fortunately, there are workarounds for DNSSEC and X.509 (you don't even need the DNSKEYs if you employ randomized hashing, and there's enough wiggle room for that, as discussed on the namedroppers list). -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users