> On Apr 14, 2018, at 4:26 PM, Matthew Pounsett <m...@conundrum.com> wrote:
> These are getting into name server quality checks, and not security checks, 
> which is the point of the acceptance testing.  I don't agree that these 
> should be part of this document.

If the registry operator is going to automatically upgrade previously insecure 
delegations to DNSSEC, then due diligence to make sure that this is not going 
to cause outages is advisable.  Once a domain is signed, TLSA and CAA lookups 
must succeed, or the domain may no longer receive email from DANE-enabled 
sending MTAs, or be able to obtain certificates from their CA, ...

So I rather strongly feel that appropriate quality checks should be in place, 
to protect both the registrant and the registry (dealing with fallout from 
outages is best avoided).

>>       o Check that if the zone uses RSA, the KSK and ZSK are at least 1280
>>         bits and at most 2048 bits.  This may be controversial, but for new
>>         deployments RSA <= 1024 bits is widely considered too weak, and RSA
>>         with more than 2048 bits creates signatures that are often too large
>>         for reliable UDP transport.
> While this is probably a reasonable thing to do, a registration mechanism 
> documented in REGEXT is not the place to do this.  I think if DNSOP wants 
> such advice in a standard there should be a BCP document out of DNSOP that 
> defines it.

Yes, this is a point for discussion.  Still I think it would be bad to, for 
example, introduce more domains with 512-bit RSA keys, or perhaps even accept 
1024-bit RSA
keys.  There are many domains with 1536-bit KSKs and 1280-bit ZSKs, these are I
think well chosen, though ECDSA P-256 (algorithm 13) is looking increasingly 
an even better choice at present.

Given that 1024-bit RSA is considered past its use-by these days, perhaps 
automated upgrades to DNSSEC only to stronger keys is a good idea???

>>       o Check that if the zone uses NSEC3 the NSEC3PARAM iteration count is
>>         at most 150 (regardless of RSA key size).  Larger iteration counts
>>         are both inefficient and fragile in the face of algorithm rollovers.
>>         The optimal value is 0 (performs one round of SHA1, which is enough 
>> to
>>         deter casual zone walking).  The most popular value is 1, which is
>>         very likely because it is slightly unclear whether 0 means no hash
>>         or (as is the case) just one initial hash.  So hats off to the
>>         operations that chose 1, they understand that the count should be
>>         low, and are careful to avoid edge cases.
> Again, I think this is out of scope of a document standardizing a 
> registration mechanism.  Besides which, there are operators out there who 
> deliberately have a low iteration count because they don't care about zone 
> walking, and are only using NSEC3 for the opt-out capability.

Here you misunderstood my point, I am suggesting a MAXIMUM of 150 and 
0 or 1, precisely because opt-out is mostly all that NSEC3 is useful for, but 
or two rounds of SHA deter "casual" zone walking.

You may not have seen my posts to dns-operations and this list about the issues
with iteration counts that exceed 150.  The tl;dr version is don't do that.
Catching mistakes at registration time is our best opportunity to maintain the
hygiene of the ecosystem.


DNSOP mailing list

Reply via email to