Re: [dns-privacy] Issues with encoding keys in nameserver DNS names

Thu, 13 Dec 2018 16:48:59 -0800 

>
> On Fri 2018-12-14 02:22:12 +0530, Mukund Sivaraman wrote:
> > The trailing '='s are part of the base32 encoding.
> >
> > [muks@naina ~]$ echo -n
> "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA====" | base32 -d
> > abcdefghijklmnopqrstuvwxyz789012[muks@naina ~]$ echo -n
> "MFRGGZDFMZTWQ2LKNNWG23TPOBYXE43UOV3HO6DZPI3TQOJQGEZA" | base32 -d
> > abcdefghijklmnopqrstuvwxyz7890base32: invalid input
> >
> > This will not validate as a hostname label.
>
> ah! good call, thanks.  so a "trailing-=-stripped b32 encoding" would
> work OK, right?
>
> I did the generation in python with:
>
>
> base64.b32encode(hashlib.sha256(rawdata).digest()).decode('us-ascii').strip('=').lower()
>
> it's not hard to re-add the = padding before re-decoding, based on the
> length of the string, which will be a fixed length.
>
>
Yes, the padding MUST be removed from the name in order to form a
legitimate label.
Likewise, padding must be re-added when extracting the signature back.


>
> Let's look at this from another angle: what sorts of limits are we
> talking about here?
>
>  https://tools.ietf.org/html/rfc1035#section-2.3.4
>
> establishes the limits, in particular:
>
>     labels          63 octets or less
>     names           255 octets or less
>
> so we're saying that the terminal label will consume 57 octets (52 for
> the b32, 4 for "dot-", and 1 for the dot).  this means that the zones
> that can contain such a label are limited to 198 octets.
>
> The longest name in the public suffix list (https://publicsuffix.org) is
> 41 octets (without the trailing dot):
> s3.dualstack.ap-northeast-1.amazonaws.com
>
> so even any long-named zone within that longest public suffix still
> leaves 157 octets for the intervening sub-zones -- space remains for
> more than two full-length 63-octet labels.
>
> So i'm not worried -- there will be other problems with long domain
> names long before we hit this one.
>

Agreed, it does form a long name but it fit the bill of the max size for
the label and still leave some room for a decently likewise already super
long name.

It may not be a nice target name, but this is not really for humans to
remember or even ever look at realistically.

Manu

_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy

Reply via email to