[dns-operations] Support for ED25519/ED448 DS records by OpenSRS
ietf-dane at dukhovni.org
Mon Feb 22 17:36:23 UTC 2021
> On Feb 22, 2021, at 2:58 PM, Tony Finch <dot at dotat.at> wrote:
> Hash collision attacks need at least a couple of input blocks to work.
> (For instance, the SHA-1 input block size is 128 bytes and a SHAMBLES
> collision needs 588 bytes.) This is generally bigger than the hash output
> size (20 bytes for SHA-1, 32 bytes for SHA-256) so a correctly-sized DS
> record is too small to use for a signature collision attack.
Nitpick: the block size of SHA-1 is 512 bits or 64 bytes. Your conclusion
neverthelss remains valid:
* None of the standard DS hash algorithms produce digests long
enough for SHA-1 collision attacks to be practical within that
* There's no need to check the DNSKEY algorithm, just checking that
the digest length matches the DS digest hash algorithm is enough.
Therefore, if the DS hash algorithm is 2 or 4 check that the digest
length is 32 bytes or 48 bytes. For algorithm 1 check for 20 bytes,
but perhaps consider discouraging its use for new signed delegations.
More information about the dns-operations