[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: private algorithms and the DS record

To: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: private algorithms and the DS record
From: David Blacka <davidb@verisignlabs.com>
Date: Wed, 22 Dec 2004 09:35:25 -0500
Cc: Samuel Weiler <weiler@tislabs.com>, namedroppers@ops.ietf.org
In-reply-to: <a06110404bdedfb585eae@[10.31.32.75]>
Organization: VeriSign, Inc.
References: <41C1ED4A.1060606@verisignlabs.com> <a06110402bdecf217c1a3@[10.31.32.75]> <Pine.GSO.4.55.0412211040400.11377@filbert> <a06110404bdedfb585eae@[10.31.32.75]>
User-agent: Mozilla Thunderbird 0.9 (X11/20041127)

Edward Lewis wrote:

At 10:49 -0500 12/21/04, Samuel Weiler wrote:

Doesn't the DS hash already cover the name of the
algorithm, which is carried in the DNSKEY?

There is that safety net, yes. Maybe all hope is not lost.


There is still potential for a security problem, here, I think.

If an implementation pulls the private algorithm name from the DNSKEY and eliminate the DNSKEY and DS before actually computing the SHA1 hash of the DNSKEY.

This seems like a natural thing to do.

Certainly, there is a safer way to handle this, but how will a future implementer be aware of the issue? By reading the namedropper archives?


--
David Blacka    <davidb@verisignlabs.com>
Sr. Engineer    VeriSign Applied Research

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: private algorithms and the DS record
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

References:
- private algorithms and the DS record
  - From: David Blacka <davidb@verisignlabs.com>
- Re: private algorithms and the DS record
  - From: Edward Lewis <Ed.Lewis@neustar.biz>
- Re: private algorithms and the DS record
  - From: Samuel Weiler <weiler@tislabs.com>
- Re: private algorithms and the DS record
  - From: Edward Lewis <Ed.Lewis@neustar.biz>

Prev by Date: Re: private algorithms and the DS record
Next by Date: Re: private algorithms and the DS record
Previous by thread: Re: private algorithms and the DS record
Next by thread: Re: private algorithms and the DS record
Index(es):
- Date
- Thread