[dnssec-deployment] aug2004 CAM of interest?

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Tue Aug 17 16:55:24 EDT 2004 

> >	my worry is the IETF change process. :)
> 
> My worry is the sun going nova and consuming the Earth.

	me too :)

> Bill, let's not let our fears outstrip our ability to make progress.

	not at all. just don't want to forget hard earned lessons.

> >	Field upgrades to replace "busted crypto"
> >	with "pristine crypto" are going to be loads of fun.  Someone
> >	with a better eye for detail (Olafur/Ed?) may want to retiterate
> >	the interesting problems with signing w/ different algos last
> >	century.  Me thinks we still have this as a latent issue.
> 
> Yeah, if you think zone enumeration is an issue, try mixing 
> algorithms.  My first bad experience came about 5 years ago with the 
> writing of the second signer.  It was a pain then.  It still was in 
> spring of 2003 when we thought of this at the palatial ISC office 
> park:
> 
> E.g., what if a zone has keys of algorithm X and Y, and the validator 
> has just X keys.  Assuming that the parent of the zone also has X, 
> the validator can then validate the DS set for the zone, as well as 
> the DNSKEY RR for the zone.
> 
> At that time, the specs allowed the zone admin to choose to sign 
> everything else in the zone with just Y.  How does the validator 
> detect that the absence of an X signature is 1) by admin choice or 2) 
> a stripping attack?
> 
> I don't know if the proposed solution made DNSSECbis.  How realistic 
> is this?  Imagine X as a current mandatory to implement algorithm and 
> Y as a replacement for a broken X.  If this isn't fixed, then we 
> could wind up with confused validaters.

	I think that long-term, this is -very- realistic.
	Stuff gets broken and has to be swapped out/replaced.
	Handwaving (there be dragons) is only ok if one remembers
	that they must be dealt with ... possibly sooner than later. 
	This is going to be harder than key rollover. 

> Multiple algorithms and mixing mandatory-to-implement with 
> experimental algorithms is a box owned by Pandora.

	amen.  but we'd better open it anyway.  (or am I the lone
	wolf on this?)


--bill

More information about the Dnssec-deployment mailing list