> As the inventor of DNSSEC > key tags, I am constantly amazed by the hundreds of email messages > and incredible amount of foofaraw on this list about them. They > were always intended to just be a simple heuristic to probabilistically > reduce effort in most cases of multiple keys. Of course the standards > need to say that the key tag must be correctly set but there I'm > not sure there is any need to require anyone to even look at the > key tag.
Independent of how they were intended, they are now essential to deal with attacks like KeyTrap. Without key tags, an attacker has a significant amplification factor in DoS attacks. To illustrate, assume we allow DNSKEY RRsets with 10 keys and we allow 10 signatures on an RRset. With 10 keys and no key tags, it is will take on average 5 public key operations to validate a good signature. With 10 signatures, an attacker can generate 9 bad signatures and one good one. On average finding the good one requires checking 5 signatures. The 4 bad ones requires 10 public key operations each and the good one requires 5 operations. So the attacker can make to cost of a single logical signature validation equal to 45 public key operations. In contrast, with key tags and no collisions, the number of required public key operations is only one. So the attacker gains a factor of 45. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
