On Thu, Jul 26, 2018 at 8:38 PM Paul Hoffman <paul.hoff...@vpnc.org> wrote:

> On 26 Jul 2018, at 10:25, Ondřej Surý wrote:
>
> >> If the ZONEMD record is signed, the only person who can mount a
> >> collision attack is the zone owner themselves. If the ZONEMD record
> >> is unsigned, an attacker can just remove it.
> >
> > I believe, that’s not true.  The ZONEMD can stay intact while the
> > attacker would modify the unsigned parts of the zone to create a same
> > checksum, but different contents?  He might be targeting just this
> > particular zone and it’s delegation, so everything else is
> > throw-away junk that can be modified.
> >
> >> What is the attack you are envisioning?
>
> You didn't answer the last question. It sounds like you want it as a
> signature over the entire zone. If so, then I fully agree that using
> hash algorithms that have known collision attacks is a very bad idea.
> But I also think that using ZONEMD as a strong signature is a bad idea:
> that's what signing algorithms are for.
>

I believe Ondrej is correct.

If we use hash algorithms that are vulnerable to collision attacks, then an
attacker might be able to produce a modified zonefile that hashes to the
same ZONEMD value (and thus the ZONEMD RRSIG).

Signing the whole zone directly isn't really much different. All DNSSEC
signature algorithms sign a hash of their input, so again we'd be signing a
hash of the full zone. So we should only be using cryptographic hash
functions not (yet) known to be vulnerable to collision attacks. So SHA256
or better.

Shumon.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to