On Thu, Jul 26, 2018 at 8:38 PM Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> On 26 Jul 2018, at 10:25, Ondřej Surý wrote: > > >> If the ZONEMD record is signed, the only person who can mount a > >> collision attack is the zone owner themselves. If the ZONEMD record > >> is unsigned, an attacker can just remove it. > > > > I believe, that’s not true. The ZONEMD can stay intact while the > > attacker would modify the unsigned parts of the zone to create a same > > checksum, but different contents? He might be targeting just this > > particular zone and it’s delegation, so everything else is > > throw-away junk that can be modified. > > > >> What is the attack you are envisioning? > > You didn't answer the last question. It sounds like you want it as a > signature over the entire zone. If so, then I fully agree that using > hash algorithms that have known collision attacks is a very bad idea. > But I also think that using ZONEMD as a strong signature is a bad idea: > that's what signing algorithms are for. > I believe Ondrej is correct. If we use hash algorithms that are vulnerable to collision attacks, then an attacker might be able to produce a modified zonefile that hashes to the same ZONEMD value (and thus the ZONEMD RRSIG). Signing the whole zone directly isn't really much different. All DNSSEC signature algorithms sign a hash of their input, so again we'd be signing a hash of the full zone. So we should only be using cryptographic hash functions not (yet) known to be vulnerable to collision attacks. So SHA256 or better. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop