[dns-operations] [Ext] Re: help with a resolution

Warren Kumari warren at kumari.net
Thu Jan 9 23:02:43 UTC 2020 

[ Top-post ]

... and once again I understand the "Do not disagree with the
Dukhovni, for you will end up feeling foolish..." truism...

Somehow, even though I read (and re-read) the "chosen-prefix" part of
"chosen-prefix collision", for some reason when it came to DNSSEC I
felt that the *attacker* needed to be the one choosing the prefix
(because of the concatenation of the RRSIG RDATA and the RRSET)

I started reading Tony Finch's excellent blog post (
https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html ), all the
while shaking my head in disagreement...  and then read the "sort
after the innocuous prefix" phrase and the penny finally dropped.

Ok, I see the concern now, and *do* feel foolish for not getting it sooner...

Shame cube,
W

On Wed, Jan 8, 2020 at 7:12 PM Warren Kumari <warren at kumari.net> wrote:
>
> On Wed, Jan 8, 2020 at 6:47 PM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> >
> > On Wed, Jan 08, 2020 at 06:00:06PM -0500, Viktor Dukhovni wrote:
> >
> > > Well, there are various services where indeed the zone administrator signs
> > > records from authenticated, but otherwise untrusted customers, provided
> > > the RR owner is associated with the customer.
> > >
> > > For example, the .DE zone (which uses algorithm 8, so not subject to
> > > any SHA-1 issues) allows registrants that only need a handful of
> > > DNS records to have those records published directly in the .DE
> > > zone, without delegation.
> > >
> > > Other zones may make similar arrangements.
> >
> > Or more simply, when Let's Encrypt, or some cloud provider asks you to
> > publish a TXT RR in your zone to prove zone control, how sure are you
> > that's not a hash collision in disguise?
>
> It **could** be, but I'm still failing to see how they could use this
> -- LE asks me to publish:
>
> _acme-challenge.example.com 600 IN TXT "I_like_Cheese" in my zone, and
> I sign it.
>
> LE asks Bob to publish:
> _acme-challenge.example.net 600 IN TXT "I_like_Natchos" in his zone,
> and Bob signs it.
>
> I_like_Cheese and I_like_Natchos hash to the same output - 0x12345,
> and both Bob and I have signed it (actually, what get signed is the
> concatenation of the RRSIG RDATA and the RRSET, and so the LE doesn't
> really get to choose the prefix, but lets ignore that).
>
> Now the attacker (LE) has gotten both Bob and I to sign this, and when
> someone queries for _acme-challenge.example.com LE could inject
> "I_like_Natchos" instead of "I_like_Cheese" -- but both of these
> strings were messages under the attackers control anyway. Yes, I feel
> that there *might* be a way that this can be pivoted into something
> useful to the attacker, but I'm still not seeing it...
>
> W
>
>
> > --
> >     Viktor.
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

More information about the dns-operations mailing list