IETF Logo Mail Archive

[DNSOP] Re: Questions before adopting must-not-sha1

Philip Homburg <pch-dnsop-6@u-1.phicoh.com> Sun, 17 November 2024 15:12 UTC

Return-Path: <pch-b6CAFA0C7@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501C8C14F698 for <dnsop@ietfa.amsl.com>; Sun, 17 Nov 2024 07:12:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6OIcOi9UdhI for <dnsop@ietfa.amsl.com>; Sun, 17 Nov 2024 07:12:41 -0800 (PST)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-ECDSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A99FC14F682 for <dnsop@ietf.org>; Sun, 17 Nov 2024 07:12:39 -0800 (PST)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305) (Smail #158) id m1tCgx2-0000LZC; Sun, 17 Nov 2024 16:12:36 +0100
Message-Id: <m1tCgx2-0000LZC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>
Sender: pch-b6CAFA0C7@u-1.phicoh.com
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <DB9D1C93-95D1-4B76-AD74-4C60433D479A@icann.org> <7dd5f090-b8b7-ea5e-82f2-d622298c7299@nohats.ca> <ybl7cgejxcr.fsf@wd.hardakers.net> <4907A4B7-1EAE-460D-91E8-4F7D292C7302@icann.org> <ybl34r2jv3n.fsf@wd.hardakers.net> <0334D9C1-F066-460A-893B-C4075FD0BE07@icann.org> <0e5914c7-d3fa-443c-8099-1b5bad39a50e@redhat.com> <m1tBFqG-0000LkC@stereo.hq.phicoh.net> <929e319c-7797-45ac-bdae-ed76d7659e23@redhat.com>
In-reply-to: Your message of "Fri, 15 Nov 2024 15:39:36 +0100 ." <929e319c-7797-45ac-bdae-ed76d7659e23@redhat.com>
Date: Sun, 17 Nov 2024 16:12:36 +0100
Message-ID-Hash: TIR5OK3RC4AU5XOAAL7C72NGRZO5ZCO6
X-Message-ID-Hash: TIR5OK3RC4AU5XOAAL7C72NGRZO5ZCO6
X-MailFrom: pch-b6CAFA0C7@u-1.phicoh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Petr Menšík <pemensik@redhat.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Questions before adopting must-not-sha1
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ESMlUN2VtcNc9zHWWl6FiiGG8nA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

>I have found there is no need to link to different library. What is
>needed is just different *configuration*. I found a very simple method
>to share with you:
>
>Use OPENSSL_CONF environment to point to conf file containing:
>
>.include = /etc/ssl/openssl.cnf
>[evp_properties]
>rh-allow-sha1-signatures = yes
>
>That is all needed to get SHA1 verification in DNSSEC back, without
>accepting SHA1 in TLS connections at the same time. Cool, eh?

At the risk of going off-topic, it seems that Red Hat is shipping packages
with unbound is compiled without support for RSASHA1. So this trick is
unlikely help.

v2.35.0 | Report a Bug | By Email | System Status