On Thu, Dec 06, 2018 at 10:26:55AM -0300, Hugo Salgado-Hernández wrote:
> On 18:54 05/12, Viktor Dukhovni wrote:
> > No idea why people would just "make up" (non-)random DS records for
> > their domains, but for some reason some do. These made-up DS RRs
>
> Could it be a bad (or nonexistent) validation in user input?
>
> I've seen customers putting hostnames, google validation tokens
> and even ftp passwords in DS fields.
Well, the questionable values are well formed, they just have a
surprising "entropy deficit", which one would not expect in a SHA-1
or SHA256 output. So syntactic input validation is unlikely to
catch this.
To prevent crappy DS records, the registrar or registry would need
to check that the zone contains a matching key (matching key tag
and hash value) before publishing the DS record. In the examples
I posted, it seems clear that the values were accepted as-is,
without confirmation via the zone's DNSKEY RRset.
IIRC some registrars don't support direct input of DS records,
rather they accept DNSKEY RRs, and compute the DS. That would
preclude some of the more creative junk values. Of course one can
still upload a junk RSA key. Junk keys are a bit more difficult
with ECDSA and EdDSA because keys have a fixed size and can be
validated as for correctness, here the worst one can do is use a
public key with a well known (example) or already leaked private
key.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
