IETF Logo Mail Archive

[DNSOP] Re: Questions before adopting must-not-sha1

Peter Thomassen <peter@desec.io> Wed, 13 November 2024 20:14 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3345DC16942C for <dnsop@ietfa.amsl.com>; Wed, 13 Nov 2024 12:14:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wM3T2_KJVTfr for <dnsop@ietfa.amsl.com>; Wed, 13 Nov 2024 12:14:30 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01832C151072 for <dnsop@ietf.org>; Wed, 13 Nov 2024 12:14:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mxlgYvXXmO88Yh0UQf0uRyWSvtqh/UKLQhY5XBZHdA8=; b=gF7QQXX5VbyO2Dlho4cSLEI4Uh MgBaKAODtstI8kLTAcZ8wyeM/gEWu95ab6hlE6UYduvy26lUat9k9+Sfe452HtYD83i0VDKtd6dOT aakIdBYNby46ZxQ/K6bKEaAviU1IUCMitO8vBIQ97fEuRLdCdRGtIAmbuUKYf7V0RQg9lq2sVhbkH L8Xqktye51UBYVbPN8HrqaF9DLXv/1IZ5z8E4zKWqZtT6vlmyeMMZvAoKPms7spm7GkajbbUDkStD WaJRwI86KT/aC9w1Ic/3U6ZNF1dFOo9awKTNCrcD+uzbNWxBfJ0Xi855YoWPzwGyt1atoox/eqCxR 3Y7c6FCQ==;
Received: from [88.255.70.17] (helo=[172.20.7.92]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1tBJkv-0062zM-Q9; Wed, 13 Nov 2024 21:14:26 +0100
Message-ID: <8ce4649e-fc77-48b4-bce5-7deb84c70a0a@desec.io>
Date: Wed, 13 Nov 2024 23:14:15 +0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <DB9D1C93-95D1-4B76-AD74-4C60433D479A@icann.org> <7dd5f090-b8b7-ea5e-82f2-d622298c7299@nohats.ca> <ybl7cgejxcr.fsf@wd.hardakers.net> <4907A4B7-1EAE-460D-91E8-4F7D292C7302@icann.org> <ybl34r2jv3n.fsf@wd.hardakers.net> <0334D9C1-F066-460A-893B-C4075FD0BE07@icann.org> <0e5914c7-d3fa-443c-8099-1b5bad39a50e@redhat.com> <m1tBFqG-0000LkC@stereo.hq.phicoh.net> <CABf5zvLLqfPDJk9dbVP-Qsg2T06Kr3BvfqJ3obf+R44SqZwRNA@mail.gmail.com> <m1tBGeR-0000MfC@stereo.hq.phicoh.net>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <m1tBGeR-0000MfC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: ICXTJASZRVEPFGRLCTIM3XZGFRXJK75G
X-Message-ID-Hash: ICXTJASZRVEPFGRLCTIM3XZGFRXJK75G
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Steve Crocker <steve@shinkuro.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Questions before adopting must-not-sha1
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KnQIyHZJo8AWcEy2nXTUaXBiC4E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


On 11/13/24 19:55, Philip Homburg wrote:
>>     See our I-D on lifecycle.  It addresses this issue squarely.
> 
> The problem is that RedHat went ahead and disabled support for SHASHA1
> (in the default configuration). That results in systems that
> violate the current DNSSEC standards.

Yes. Given that current RFCs knowingly aren't/weren't followed, I see little reason to assume that a new one (on lifecycles) would have any effect to stop/prevent that.

(And those who follow the current RFCs don't need the lifecycle document, because they are already compliant.)

Peter

-- 
https://desec.io/

v2.34.0 | Report a Bug | By Email | System Status