Re: [DNSOP] [Ext] About key tags

[Arnold DECHAMPS]

How much would those "unnecessary expensive validations attempts" cost with 
modern hardware?

Is it still a concern enough that they justify continuing using those tags 
instead of the full key?

Wouldn't that limit the risk of collision?

Regards,

Arnold Dechamps

So, I am the person who added key tags in the initial design of
DNSSEC. The idea was just to, probabilistically, avoid unnecessary
expensive validation attempts. If key tags are causing problems for
some resolvers and validations are not such a problem with modern
hardware, you can always just ignore the key tag and try validation
with all keys. You still need to bound the effort you are willing to
put in to evade some attacks.

Thanks,
Donald
===============================
Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
2386 Panoramic Circle, Apopka, FL 32703 USA
d3e...@gmail.com

On Wed, Feb 14, 2024 at 11:06 AM Jim Reid <j...@rfc1035.com> wrote:

> On 14 Feb 2024, at 15:17, Paul Hoffman <paul.hoff...@icann.org> wrote:
>
> On Feb 14, 2024, at 07:10, Jim Reid <j...@rfc1035.com> wrote:
>> That said, I think a minor tweak to the core DNSSEC specs would be a good 
idea. For instance, whenever a validator comes across a key tag collision, it MUST 
stop validating and either return a hard error or an unvalidated response.
>>
>> My concern here is a bad actor using key tag collisions to disrupt important 
validating resolver services. For some definition of important.
>
> That is not a "minor tweak", that will occasionally break validation in 
hard-to-detect ways.

Could you please elaborate the hard-to-detect ways Paul? Key tag collision is 
an obscure corner case (modulo the current keytrap excitement) and refusing to 
validate in these circumstances seems more than reasonable to me. Fail early, 
fail “safe”. The resolver would presumably log the error and return a suitable 
response to the client.

DNSSEC validation is already far too complex. Let’s not add more. IMO, the 
pragmatic approach here would be for a validator to say “Duplicate key tags 
mean the signer has messed up and I give up. Have a nice day.”.

> The problem is not the collisions, it is the collisions causing almost 
unbounded processing.

Indeed. So at the earliest opportunity for a validating resolver, nuke that 
from orbit. It’s the only way to be sure. :-)

> A better update would be to say "watch for excessive processing due to keytag 
collisions and abort when you detect it".

Seems a bit fluffy to me. Define “excessive” and “watch". More code/moving 
parts would be needed to implement this approach too.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

    [DNSOP] About key tags  Edward Lewis
    Re: [DNSOP] About key tags  Mark Andrews
    Re: [DNSOP] About key tags  Wellington, Brian
    Re: [DNSOP] [Ext] Re: About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Petr Špaček
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Joe Abley
    Re: [DNSOP] [Ext] About key tags  Petr Špaček
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Havard Eidnes
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Yorgos Thessalonikefs
    Re: [DNSOP] [Ext] About key tags  Jim Reid
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Ralf Weber
    Re: [DNSOP] [Ext] About key tags  Jim Reid
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Ralf Weber
    Re: [DNSOP] [Ext] About key tags  Petr Špaček
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags  Donald Eastlake
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Petr Špaček
    Re: [DNSOP] [Ext] About key tags  Paul Wouters
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags  Paul Wouters
    Re: [DNSOP] [Ext] About key tags  Wellington, Brian
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags  Wellington, Brian
    Re: [DNSOP] [Ext] About key tags  Ralf Weber
    Re: [DNSOP] [Ext] About key tags  Paul Wouters
    Re: [DNSOP] [Ext] About key tags  Philip Homburg
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Ralf Weber
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags  Ralf Weber
    Re: [DNSOP] [Ext] About key tags  Bob Harold
    Re: [DNSOP] [Ext] About key tags  Ted Lemon
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Jim Reid
    Re: [DNSOP] [Ext] About key tags  libor.peltan
    Re: [DNSOP] [Ext] Re: About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Joe Abley
    Re: [DNSOP] [Ext] About key tags  Petr Špaček
    Re: [DNSOP] [Ext] About key tags  Jim Reid
    Re: [DNSOP] [Ext] About key tags  Jim Reid
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Peter Thomassen
    Re: [DNSOP] [Ext] About key tags  Peter Thomassen
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags  John Levine
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  John R Levine
    Re: [DNSOP] [Ext] About key tags and sensible lim…  John Levine
    Re: [DNSOP] [Ext] About key tags  Paul Wouters
    Re: [DNSOP] [Ext] About key tags  libor.peltan
    Re: [DNSOP] [Ext] About key tags  John Levine
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags and their infreq…  John R Levine
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Paul Wouters
    Re: [DNSOP] [Ext] About key tags and collision nu…  John R Levine
    Re: [DNSOP] [Ext] About key tags  Paul Hoffman
    Re: [DNSOP] [Ext] About key tags and collision nu…  Mark Andrews
    Re: [DNSOP] [Ext] About key tags  Ralf Weber
    Re: [DNSOP] [Ext] About key tags  Edward Lewis
    Re: [DNSOP] [Ext] About key tags  Joe Abley
    Re: [DNSOP] [Ext] About key tags  Shumon Huque
    Re: [DNSOP] [Ext] About key tags  Ted Lemon
    Re: [DNSOP] [Ext] About key tags  Paul Wouters
    Re: [DNSOP] [Ext] About key tags  John R Levine
    Re: [DNSOP] [Ext] About key tags  Petr Špaček
    Re: [DNSOP] [Ext] About key tags  Mark Andrews

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop