On Tue, Jun 9, 2015 at 5:55 AM, Edward Lewis <[email protected]> wrote:
> On 6/9/15, 3:12, "Kevin Chen" <[email protected]> wrote: > > >> > >>which looks quite simple, however the KSK DNSKEY from hollington.ca is > >> part of the DS set. The only notable part of the DS set is that it > >> contains 4 keys, among which is an older (?) with a longer hash. > > > >RFC 4509 says: > > > > Implementations MUST support the use of the SHA-256 algorithm in DS > > RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1 > > digests if DS RRs with SHA-256 digests are present in the DS RRset. > > > >I assume the various resolvers are making different choices with regard > >to SHOULD. > > Hmmm, I would have never interpreted that requirement that way. I always > had in mind "per key." The example in the RFC seems to present it that way as well. That might be part of the problem (I had interpreted it--and implemented it--that way). o A zone includes multiple DS records for a given child's DNSKEY, each of which uses a different digest type. o A validator accepts a weaker digest even if a stronger one is present but invalid. But when you consider a downgrade attack, the attacker only needs the lowest hanging fruit. That means that *any* DS (regardless of DNSKEY) with the weaker digest type could potentially be used for falsifying a DNSKEY. Casey
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
