[Dnssec-deployment] cases - was Re: Barbie sez: "Algorithm rollovers are HARD!"

Doug Barton dougb at dougbarton.us
Tue Aug 17 15:07:18 EDT 2010

On 08/17/2010 07:17, Edward Lewis wrote:
> The motivation for the specification statement is to avoid a downgrade
> vulnerability.  If it were optional to generate a signature, then it
> would be easy to fool a validator into dropping its checking procedure.
> By requiring a signer to generate a signature for each algorithm this
> meant that a stripped signature wouldn't lead a validator to ever assume
> that the data was intentionally unsigned.  That is, a validator should
> assume a record, in a secure subtree, is signed unless proven otherwise.
> The reason one of "every algorithm" is mentioned is to cover the case
> where some population of validators did not implement a particular
> cryptographic algorithm. If a validator saw the DS set and validated it,
> the validator could then flip through the DS records and determine if
> there was any key whose algorithm was understood.  It's possible that a
> zone has a DS record but a validator would proceed as if the zone was
> not signed because the signatures would be unparseable.

I agree with this description. If there are validators that are doing 
other than this, we need to get the word out ASAP, as well as deal with 
the protocol spec (as I know Ed is already doing).

Furthermore, given that we've been saying all along that DS records 
should act like NS records as much as possible (and common sense), the 
way alg rollovers SHOULD work is:

0. DS-alg1 is in parent, *SK-alg1 and RRSIGs-alg1 are in zone.
1. Shorten TTL on *SK and shorten signature validity period on RRSIGs
2. Add *SK-alg2 to zone, sign zone with both keys.
3. Add DS-alg2 to parent
4. Verify that DS-alg2 is visible on all of parent's authorities.
5. Pull DS-alg1 from parent.
6. Verify that DS-alg1 is no longer visible on all of parent's authorities.
7. Wait (TTL-of-*SK-alg1 x 2), which should also cover the signature 
validity period, then pull *SK-alg1 from zone, and resign with only 

If it can't work like that, then something is really, desperately wrong.



	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

	Computers are useless. They can only give you answers.
			-- Pablo Picasso

More information about the Dnssec-deployment mailing list