-- Ondřej Surý [email protected] > On 26 Jul 2018, at 18:48, Paul Hoffman <[email protected]> wrote: > > On 26 Jul 2018, at 9:43, Ondřej Surý wrote: > >>> On 26 Jul 2018, at 18:40, Wessels, Duane <[email protected]> wrote: >>> >>> Ondrej, >>> >>> Thanks, I think thats a fair point. I was of course hoping to not create >>> yet another IANA registry. >>> >>> If the ZONEMD RR included a count of records as suggested by Paul Wouters >>> would you then be comfortable >>> just using the DS hash algorithms? >> >> That’s probably question you need to ask some cryptographer, so take my >> opinion with a grain of salt. >> >> If <n> is the number of ZONEMD-covered records, then the probability of >> collision attack gets higher. So, unless >> I am mistaken, the delegation heavy zones would be especially susceptible to >> a collision attack. Does it make >> sense? > > If the ZONEMD record is signed, the only person who can mount a collision > attack is the zone owner themselves. If the ZONEMD record is unsigned, an > attacker can just remove it.
I believe, that’s not true. The ZONEMD can stay intact while the attacker would modify the unsigned parts of the zone to create a same checksum, but different contents? He might be targeting just this particular zone and it’s delegation, so everything else is throw-away junk that can be modified. > What is the attack you are envisioning? Ondrej _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
