IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Paul Wouters <paul@nohats.ca> Tue, 30 April 2024 17:22 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0770DC169407 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 10:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.431
X-Spam-Level:
X-Spam-Status: No, score=-6.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rTH6a98swkIQ for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 10:22:05 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56B7EC151532 for <dnsop@ietf.org>; Tue, 30 Apr 2024 10:21:16 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4VTRn64W5rzCND; Tue, 30 Apr 2024 19:21:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1714497674; bh=phvdn4IkkG6QWIvam7oG44PyGcEsjivP1caWizTTByc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JjFi8LU9XM8FAiNpbeHnxdUUdbiLsh45g5ms2hdl1d7oYypvN828gJHew8YLkRE9/ n0QHaUnDt7BXqiZitdXFw0lyIEftho9JDXI3EePQl4EK6sqrePntP5ZrjnhSexHtGE o2q20ORHM+9Ea9o+3u64ipOxRIlhV3yprDWojAIU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 9eR5wefZ7KDB; Tue, 30 Apr 2024 19:21:12 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 30 Apr 2024 19:21:12 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C331E11DE719; Tue, 30 Apr 2024 13:21:11 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C220C11DE718; Tue, 30 Apr 2024 13:21:11 -0400 (EDT)
Date: Tue, 30 Apr 2024 13:21:11 -0400
From: Paul Wouters <paul@nohats.ca>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
cc: dnsop@ietf.org
In-Reply-To: <m1s1p08-0000LZC@stereo.hq.phicoh.net>
Message-ID: <d628274d-bedf-da04-327f-00dce3371e5c@nohats.ca>
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <m1s1mGR-0000PPC@stereo.hq.phicoh.net> <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <m1s1oHu-0000LZC@stereo.hq.phicoh.net> <0a9a6466-0e66-8c1c-2133-34da5eb52812@nohats.ca> <m1s1p08-0000LZC@stereo.hq.phicoh.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H7oBdQgnZWYaRcsdgXC3zxojbrk>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 17:22:10 -0000

On Tue, 30 Apr 2024, Philip Homburg wrote:

>> - FIPS
>> - PCI-DSS
>> - BSI
>> - OWASP
>> - SOC2
>> - PKI-industry & CAB/Forum
>> - TLS, IPsec/IKE, OpenPGP, SMIME, et all at IETF.
>> - All the cryptographers including CFRG
>
> The problem is that none if them did an impact analysis for this draft.

I phrase it the other way around:

The DNS community failed to track industry wide commitments and
requirements for many years.

> Yes of course, in isolation it is good to move away from SHA1. Nobody
> says SHA1 is great, we should promote it. RFC 8624 already says that
> algorithms 5 and 7 are not recommended for signing.

That's from 2019. It could use an update from SHOULD NOT to MUST NOT.
That's exactly what this document does. If not now, when would you want
to change it? I was reluctant too until I saw the numbers from Viktor
about to low amount of SHA1 zones left a few months ago.

> However, going ahead and breaking things is something different. And that
> is exactly what is proposed here. And that is something that doesn't give
> security benefits. Just a reduction of security in the name of crypto purity.

As explained, it will cause less breakage not more. It will also cause
more insecure zones, but that is not "breakage" and these zones are far
behind current practices. I found my old viktor messages, so I refound:

https://stats.dnssec-tools.org/#/?top=parameters&dnssec_param_tab=0

19750 out of 22,713,302 aka 0.08% is using RSASHA1
119678 out of 22,713,302 aka 0.52% is using NEC3-RSASHA1

at 0.6%, I think it is long time to say MUST NOT. Yes that half percent
will see their DNSSEC status reduced to insecure, but on the plus side,
it won't cause sha1 bogus servfail errors anywhere.

Paul

v2.35.0 | Report a Bug | By Email | System Status