[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSKEY flags field

To: Rob Austein <sra@isc.org>
Subject: Re: DNSKEY flags field
From: Edward Lewis <edlewis@arin.net>
Date: Mon, 14 Jun 2004 16:46:10 -0400
Cc: namedroppers@ops.ietf.org
In-reply-to: <20040614200322.1218442B2@thrintun.hactrn.net>
References: <ilufz9332at.fsf@latte.josefsson.org> <200406141354.29107.davidb@verisignlabs.com> <ilu7jua3sb0.fsf@latte.josefsson.org> <200406141512.35693.davidb@verisignlabs.com> <a06020415bcf3b0e16c2b@192.136.136.83> <20040614200322.1218442B2@thrintun.hactrn.net>

Genuine - meaning that the match of the DNSKEY proto=4 and the DS hash is not the result of a malicious party's insertion of data.

Let's put the question another way. This is a question, I'm seeking ideas.

I begin with a trusted key that I do not question, it's "configured." I use it to verify, in the DNSSEC sense, down the tree to a DS RR (set). I now pick up a DNSKEY RR and find that it matches the DS's RR set. How much to I gain by finding out that the DNSKEY set also matches the signature generated by one of the private keys corresponding to the set? What are the chances it'll fail the signature check?

So, by genuine, I mean, the DNSKEY was used to generate the DS RR's hash for it, and not some other public key that was crafted to match the hash.

(Does this make sense? I barely makes sense to me.)

At 16:03 -0400 6/14/04, Rob Austein wrote:

At Mon, 14 Jun 2004 15:49:52 -0400, Ed Lewis wrote:


 Tossing out this - how safe is it to assume that if the hash in a DS
 RR matches the DNSKEY RR with proto=4, that the DNSKEY RR is genuine?
 Even if the RRSIG over the DNSKEY set indicates keys that are all
 proto=4?

Define "genuine". Seriously.

Properly signed DS is an attestation by the parent that it believes
that the child has asked to have this signed key hash listed and that
listing this signed key hash doesn't violate the parent's (unknown,
not part of protocol) policies.  Further deponant sayeth not.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

"I can't go to Miami.  I'm expecting calls from telemarketers." -
Grandpa Simpson.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: DNSKEY flags field
  - From: Rob Austein <sra@isc.org>

References:
- DNSKEY flags field
  - From: Simon Josefsson <jas@extundo.com>
- Re: DNSKEY flags field
  - From: David Blacka <davidb@verisignlabs.com>
- Re: DNSKEY flags field
  - From: Simon Josefsson <jas@extundo.com>
- Re: DNSKEY flags field
  - From: David Blacka <davidb@verisignlabs.com>
- Re: DNSKEY flags field
  - From: Rob Austein <sra@isc.org>

Prev by Date: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Next by Date: Re: issues with draft-ietf-dnsext-dnssec-trans-00.txt
Previous by thread: Re: DNSKEY flags field
Next by thread: Re: DNSKEY flags field
Index(es):
- Date
- Thread