On Wed, Jan 8, 2020 at 6:47 PM Viktor Dukhovni <[email protected]> wrote: > > On Wed, Jan 08, 2020 at 06:00:06PM -0500, Viktor Dukhovni wrote: > > > Well, there are various services where indeed the zone administrator signs > > records from authenticated, but otherwise untrusted customers, provided > > the RR owner is associated with the customer. > > > > For example, the .DE zone (which uses algorithm 8, so not subject to > > any SHA-1 issues) allows registrants that only need a handful of > > DNS records to have those records published directly in the .DE > > zone, without delegation. > > > > Other zones may make similar arrangements. > > Or more simply, when Let's Encrypt, or some cloud provider asks you to > publish a TXT RR in your zone to prove zone control, how sure are you > that's not a hash collision in disguise?
It **could** be, but I'm still failing to see how they could use this -- LE asks me to publish: _acme-challenge.example.com 600 IN TXT "I_like_Cheese" in my zone, and I sign it. LE asks Bob to publish: _acme-challenge.example.net 600 IN TXT "I_like_Natchos" in his zone, and Bob signs it. I_like_Cheese and I_like_Natchos hash to the same output - 0x12345, and both Bob and I have signed it (actually, what get signed is the concatenation of the RRSIG RDATA and the RRSET, and so the LE doesn't really get to choose the prefix, but lets ignore that). Now the attacker (LE) has gotten both Bob and I to sign this, and when someone queries for _acme-challenge.example.com LE could inject "I_like_Natchos" instead of "I_like_Cheese" -- but both of these strings were messages under the attackers control anyway. Yes, I feel that there *might* be a way that this can be pivoted into something useful to the attacker, but I'm still not seeing it... W > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
