> On 27 Jul 2018, at 10:37 am, Paul Hoffman <[email protected]> wrote: > > On 26 Jul 2018, at 10:25, Ondřej Surý wrote: > >>> If the ZONEMD record is signed, the only person who can mount a collision >>> attack is the zone owner themselves. If the ZONEMD record is unsigned, an >>> attacker can just remove it. >> >> I believe, that’s not true. The ZONEMD can stay intact while the attacker >> would modify the unsigned parts of the zone to create a same checksum, but >> different contents? He might be targeting just this particular zone and >> it’s delegation, so everything else is throw-away junk that can be modified. >> >>> What is the attack you are envisioning? > > You didn't answer the last question. It sounds like you want it as a > signature over the entire zone. If so, then I fully agree that using hash > algorithms that have known collision attacks is a very bad idea. But I also > think that using ZONEMD as a strong signature is a bad idea: that's what > signing algorithms are for.
ZONEMD and XHASH can both be modelled as a cryptographic hash (NSEC3) or cryptographic hash + signature (RRSIG). The later will take less space in the zone but more work to update when the signature expires. Either model will prevent record changes. > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
