[dns-operations] Support for ED25519/ED448 DS records by OpenSRS

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 22 17:36:23 UTC 2021

> On Feb 22, 2021, at 2:58 PM, Tony Finch <dot at dotat.at> wrote:
> Hash collision attacks need at least a couple of input blocks to work.
> (For instance, the SHA-1 input block size is 128 bytes and a SHAMBLES
> collision needs 588 bytes.) This is generally bigger than the hash output
> size (20 bytes for SHA-1, 32 bytes for SHA-256) so a correctly-sized DS
> record is too small to use for a signature collision attack.

Nitpick: the block size of SHA-1 is 512 bits or 64 bytes.  Your conclusion
neverthelss remains valid:

 * None of the standard DS hash algorithms produce digests long
   enough for SHA-1 collision attacks to be practical within that

 * There's no need to check the DNSKEY algorithm, just checking that
   the digest length matches the DS digest hash algorithm is enough.

Therefore, if the DS hash algorithm is 2 or 4 check that the digest
length is 32 bytes or 48 bytes.  For algorithm 1 check for 20 bytes,
but perhaps consider discouraging its use for new signed delegations.


More information about the dns-operations mailing list