IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Tue, 30 April 2024 12:07 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5727CC14CF18 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 05:07:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdbF2g71jz0y for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 05:07:19 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [45.83.6.19]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5269DC14F739 for <dnsop@ietf.org>; Tue, 30 Apr 2024 05:07:17 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1s1mGR-0000PPC; Tue, 30 Apr 2024 14:07:15 +0200
Message-Id: <m1s1mGR-0000PPC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Paul Wouters <paul@nohats.ca>
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca>
In-reply-to: Your message of "Mon, 29 Apr 2024 16:00:39 -0400 (EDT) ." <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca>
Date: Tue, 30 Apr 2024 14:07:14 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8sfTPLcnEE4XH4eyQ9lvk_mOmOk>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 12:07:24 -0000

>The advise is split between producing SHA1 signatures and consuming SHA1
>signatures, and those timings do not have to be identical.
>
>That said, a number of OSes have already forced the issue by failing
>SHA1 as cryptographic operation (RHEL, CentOS, Fedora, maybe more). So
>right now, if you run DNSSEC with SHA1 (which includes NSEC3 using
>SHA1), your validator might already return it as an insecure zone.
>
>I think a MUST NOT for signing with SHA1 is a no-brainer. The timing for
>MAY on validation should be relatively short (eg 0-2 years?)

What worries me about the draft is the security section. I can understand
the desire to get rid of old crypto, but as far as I can tell
this draft will mostly decrease security.

We can accept as given that it is easy to find collisions for SHA1. However,
a second pre-image attack is way off in the future.

>From that we can conclude that for any zone that is now signed using SHA1 and
that does not have a risk of collision attacks (because the zone does not
accept data controlled by third parties), this draft is a clear reduction of
security.

For a site that does have a risk of collision attacks the situation is less
clear. Such a site should move away from using SHA1, but the recommendation 
for validators will still cause an immediate reduction of security.

Looking at the signer part, this is not great either. Moving away from SHA1
requires an algorithm roll-over. DNSSEC is already quite fragile and algorithm
rolls are worse. So there is a failure risk that is too big ignore.

This draft requires zones that do not have a collision risk to move to a
different algorithm, at a significant risk, but there is no increase in 
security. So that part is also a net negative for security.

So it seems that we are asked to adopt a draft that will mostly reduce 
security, not increase it.

There might be other arguments for adopting the draft, such a Redhat not
validating signatures with SHA1 anymore. But those arguments are not
mentioned in the draft.

And if some companies from one country want to shoot themselves in the foot,
does the rest of the world have to follow?

v2.34.0 | Report a Bug | By Email | System Status