[dnssec-deployment] DNSSEC in Russia

[Edward Lewis]

At 13:18 -0700 4/2/09, Paul Hoffman wrote:

>...with a signature algorithm that has had little cryptographic analysis done
>that could be verified by other cryptographers (and for which there is
>already some damaging analysis that can be found trivially with Google).
>Why should the root sign with such an algorithm?

Why shouldn't it?  DNSSEC is a mechanism for the relying party to 
verify that the data they have received in response to a query is 
complete and true to the source.  It is up to the verifier's policy 
to decide what is and what is not an acceptable means to achieve this.

If you restrict the signing to select algorithms you 1) are setting 
up an exclusionary policy that will be put under review and 2) are 
restricting the choice of local policy by the verifiers.

I can't seen any upside, other than minimizing the size of the root 
zone and traffic, to being restrictive.

>If a zone wants to sign with an algorithm other than what everyone else is
>using, that's fine. Users of that algorithm that cannot use any other
>algorithm can load the highest-level zones signed with it in their trust
>anchor pile.

I can't respond to that, I don't understand your point.

>Adding additional algorithms, particularly ones that have not been studied
>much, to resolvers gives attackers new ways to break the security of DNSSEC.
>That doesn't seem like a good idea.

"Not studied much" by whom?  Who decides?  I can't get a straight 
answer from a cryptographer about what's a suitable key length in 
RSA, much less an answer about the soundness of an algorithm.

I don't agree that the presence of an algorithm in a zone lowers the 
security of a zone relative to the other algorithms in it.  The 
verifier has the final say.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.