> On 27 Jul 2018, at 10:37 am, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > > On 26 Jul 2018, at 10:25, Ondřej Surý wrote: > >>> If the ZONEMD record is signed, the only person who can mount a collision >>> attack is the zone owner themselves. If the ZONEMD record is unsigned, an >>> attacker can just remove it. >> >> I believe, that’s not true. The ZONEMD can stay intact while the attacker >> would modify the unsigned parts of the zone to create a same checksum, but >> different contents? He might be targeting just this particular zone and >> it’s delegation, so everything else is throw-away junk that can be modified. >> >>> What is the attack you are envisioning? > > You didn't answer the last question. It sounds like you want it as a > signature over the entire zone. If so, then I fully agree that using hash > algorithms that have known collision attacks is a very bad idea. But I also > think that using ZONEMD as a strong signature is a bad idea: that's what > signing algorithms are for.
ZONEMD and XHASH can both be modelled as a cryptographic hash (NSEC3) or cryptographic hash + signature (RRSIG). The later will take less space in the zone but more work to update when the signature expires. Either model will prevent record changes. > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop