[dns-operations] [Ext] Re: help with a resolution

Tony Finch dot at dotat.at
Fri Jan 10 01:41:53 UTC 2020


Warren Kumari <warren at kumari.net> wrote:

> Ok, I see the concern now, and *do* feel foolish for not getting it sooner...

I have learned a lot this week :-)

I have been using DNSSEC for about 10 years and only this week have I had
to care about the details of how an RRSIG is constructed.

I saw the MD5 chosen-prefix collision certificate in 2008 and I thought,
wow that's cool, but I didn't sweat the details.

I saw the commentary from X.509 and TLS people about how shaky SHA-1 was
in 2015, and I didn't examine the implications for DNSSEC. Same again
after the SHA-1 collision in 2017.

I saw the Eurocrypt SHA-1 chosen-prefix attack last year but I didn't
think about the consequences. As soon as I saw the SHAmbles announcement I
realised what it actually meant and that DNSSEC was in serious trouble.

It took me a couple of afternoons to write the blog article. The second
half and the more tricky cases owe a lot to discussions with Viktor.

I, too, feel foolish for not getting it sooner - I can't complain there
weren't enough clues!

https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North
Channel: Mainly northwesterly 3 to 5, backing southerly 4 to 6, increasing 7
to severe gale 9 later. Smooth or slight at first in Firth of Clyde, otherwise
moderate or rough. Showers, rain later. Good, occasionally poor later.



More information about the dns-operations mailing list