[Dnssec-deployment] cases - was Re: Barbie sez: "Algorithm rollovers are HARD!"
dougb at dougbarton.us
Tue Aug 17 15:07:18 EDT 2010
On 08/17/2010 07:17, Edward Lewis wrote:
> The motivation for the specification statement is to avoid a downgrade
> vulnerability. If it were optional to generate a signature, then it
> would be easy to fool a validator into dropping its checking procedure.
> By requiring a signer to generate a signature for each algorithm this
> meant that a stripped signature wouldn't lead a validator to ever assume
> that the data was intentionally unsigned. That is, a validator should
> assume a record, in a secure subtree, is signed unless proven otherwise.
> The reason one of "every algorithm" is mentioned is to cover the case
> where some population of validators did not implement a particular
> cryptographic algorithm. If a validator saw the DS set and validated it,
> the validator could then flip through the DS records and determine if
> there was any key whose algorithm was understood. It's possible that a
> zone has a DS record but a validator would proceed as if the zone was
> not signed because the signatures would be unparseable.
I agree with this description. If there are validators that are doing
other than this, we need to get the word out ASAP, as well as deal with
the protocol spec (as I know Ed is already doing).
Furthermore, given that we've been saying all along that DS records
should act like NS records as much as possible (and common sense), the
way alg rollovers SHOULD work is:
0. DS-alg1 is in parent, *SK-alg1 and RRSIGs-alg1 are in zone.
1. Shorten TTL on *SK and shorten signature validity period on RRSIGs
2. Add *SK-alg2 to zone, sign zone with both keys.
3. Add DS-alg2 to parent
4. Verify that DS-alg2 is visible on all of parent's authorities.
5. Pull DS-alg1 from parent.
6. Verify that DS-alg1 is no longer visible on all of parent's authorities.
7. Wait (TTL-of-*SK-alg1 x 2), which should also cover the signature
validity period, then pull *SK-alg1 from zone, and resign with only
If it can't work like that, then something is really, desperately wrong.
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
Computers are useless. They can only give you answers.
-- Pablo Picasso
More information about the Dnssec-deployment