On Wed, Jan 08, 2020 at 08:50:05AM -0800, Ólafur Guðmundsson wrote: > Due to the structure of DNS records this is hard to pull off,
Yes, at present. > The only RR types that are suspect are the ones that can have 1440 of > "garbage" at the end Yes, at present, but the attacks may continue to improve, perhaps requiring fewer attacker supplied blocks to reach a collision. > DS has fixed size so I it can not be used unless someone figures out how > select blocks that include valid DNS record envelopes. Yes, while the block count to go from a chosen prefix to a collision is substantially more than 2. > TXT will work if the attacker can encode lengths of the individual strings > into a valid record ==> but who cares about TXT abuse This is not correct, because with chosen-prefix attacks the two messages that collide need not share the same owner and type (that's the whole point of chosen-prefix, the initial segment of the second message can be freely chosen by the attacker). Therefore the TXT record can have the same signature as some more important record, perhaps a fake DNSKEY RRset for the zone apex! > DNSKEY is with RSA is good candidate for this attack as any DNSKEY RRset > for SHA1 algorithms can be attacked by adding a key that sorts to be last > and is larger than 1440 bits. But the real DNSKEY RRset is not attacker controlled, whoever creates the zone's DNSKEY RRs can already subvert the zone content in whatever way they see fit. Legitimate signatures of DNSKEYs are not at risk. > Thus anyone that is using RSA algorithm < 8 should think about key or > algorithm rollover Yes, on this we can agree, even though the risk is lower for "leaf" zones that only sign their own content. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop