[dns-operations] [Ext] Re: DNSSEC and multiple signatures

[Edward Lewis]

On 5/17/21, 8:15 PM, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:

>Bottom line: make sure *all* your signatures are valid, if you sign
>with multiple algorithms...
 
I disagree with that advice.  Building a truly verifiable (following all the rules as well as cryptographic calculations) chain of trust is hard enough that having one chain is sufficient reason to accept a data set as authentic and complete.  (Note though that an authentic and complete data set may not be the latest version or even correct.)

But reading Viktor's statement over and over, perhaps I should clarify:

When signing - "don't screw up", yes, do your utmost to: make sure *all* of your signatures are valid, (whether or not) if you sign with multiple algorithms.

But when signing, data changes and you may publish a signature in one moment and a new data set (with a new signature) in the next moment (new zone serial number).

When validating - the world looks different because of that.  A validator ought to be satisfied with any single complete chain.

A broken signature alongside a working signature might be a case of a software bug in a crypto-library or signature preparation.  In a time when data sets are changing, it's possible that a wonky verifier might confuse an older signature with a newer set.  (This is what was anticipated in the days of yore when the protocol was assembled.)

And we anticipated this - if one wanted to DOS a data set that was DNSSEC signed, just add a garbage signature to the message.  If the validator tossed the set at the sight of a failed chain, you'd accomplish your goal.  Generating garbage to bring something down is much easier than forging a signature.  Ok, not exactly the same vulnerability, but we really can't anticipate what an adversary might want to do, other than disrupt a service.

There was a validator once (name withheld to protect the guilty, many will know the case) that failed data sets when it saw a set signed with one algorithm and had a valid chain, but then saw a second algorithm in the authoritative zone's DNSKEY set.  Although a signer must generate signatures of all algorithms in a zone's DNSKEY set, this rule does not apply in validation.  Why?  Because the validator might be getting a copy of the data set emitted before the new key was published in the DNSKEY set.  Validators can't assume that all the data sets for a zone (or even a name) are from the same zone serial number.

Morale: DNSSEC makes the DNS more brittle (by eliminating protocol states that are questionable).  Don't over tighten it.