IETF Logo Mail Archive

[DNSOP] Re: Questions before adopting must-not-sha1

Petr Menšík <pemensik@redhat.com> Tue, 12 November 2024 23:35 UTC

Return-Path: <pemensik@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60003C1840DA for <dnsop@ietfa.amsl.com>; Tue, 12 Nov 2024 15:35:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.251
X-Spam-Level:
X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-Y5Q_ApJEs5 for <dnsop@ietfa.amsl.com>; Tue, 12 Nov 2024 15:35:04 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55E73C15153F for <dnsop@ietf.org>; Tue, 12 Nov 2024 15:35:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1731454503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=mjCxhs6th4T57paMj9qvzI5FXgetOyYxLAphB9iXxds=; b=cFGgxloEdvlApl65Xu7CqOJAe4H5RHGd1vEyfRkMnD6fISMTksjzezyhVIAQ/iBp/hJUyD o8wBlAtG6TRKT2zz6eTPECq8GnupPm6CTf0ypF7fBTFak+c2U+0+pQpQAJzOv/mZjQ2bbh ngvBfyZQVTclxYL2qtTnRZgzUqenArM=
Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-401-JGu38OeEOM-0nA4fry4VxQ-1; Tue, 12 Nov 2024 18:35:01 -0500
X-MC-Unique: JGu38OeEOM-0nA4fry4VxQ-1
X-Mimecast-MFC-AGG-ID: JGu38OeEOM-0nA4fry4VxQ
Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-4315cefda02so47905215e9.0 for <dnsop@ietf.org>; Tue, 12 Nov 2024 15:35:01 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731454500; x=1732059300; h=in-reply-to:autocrypt:from:content-language:references:cc:to :subject:user-agent:mime-version:date:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=mjCxhs6th4T57paMj9qvzI5FXgetOyYxLAphB9iXxds=; b=XXxJw5eO+W97ca2KWx/m1VPVIO1L1pCQEqamzo/IbJO5mC0AwgivWeJQp9PY9c9YzT CxzpfN5lff5nNUst6L+TzwHrOEva833iLORimFOru0aLDSjp9IhyLgpU6gdsZwiCP9Tx u0wBEndl6K9Jslta0OECAUBjHORRocYmE4/pyhZmDO2GoF9sGaf5lIGa1HavxCC9w9U6 roj/NSDS5avlhv+zlxWSEwRHoCWPnVr38o/tRZWFWCMwR+2nS+0iTwdXQJaVNsMS1EDE 4EnnMZBpUvQ66+uACD39aiIUuGm1PBZTo/qp/ycBLTfu4u8GlZ+zyy2QgJQdCuX5v9RN aCLQ==
X-Gm-Message-State: AOJu0YwmGF4kvLhWgoabqUTJzvu3bnNQnCe0uhibO9SF3kgIBIj4v9xo zGGH0J3bt1s1YY14DZI2H0fVB0UGxyETXvreVfrDtioSqfrR8FSjSzt8JN7hN68dYZ6tPiCzYp4 axsnTI38Iy5SY9ocPi735V9KzDnRgzVeOE4g+lTmEcLjTaEGTgYQ=
X-Received: by 2002:a05:600c:c0d:b0:42c:de34:34c1 with SMTP id 5b1f17b1804b1-432d4aa9d0cmr8177615e9.2.1731454499711; Tue, 12 Nov 2024 15:34:59 -0800 (PST)
X-Google-Smtp-Source: AGHT+IERfXlIRDr5GNGXd3MnijyOeC5Z0Eeqy/1UDswDwsPdcFX3Uk0iMf1mXHq9iviPPVbff8fq+g==
X-Received: by 2002:a05:600c:c0d:b0:42c:de34:34c1 with SMTP id 5b1f17b1804b1-432d4aa9d0cmr8177435e9.2.1731454499191; Tue, 12 Nov 2024 15:34:59 -0800 (PST)
Received: from ?IPV6:2a03:3b40:296:0:f482:3914:642b:42fb? ([2a03:3b40:296:0:f482:3914:642b:42fb]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-432d5541862sm2897775e9.28.2024.11.12.15.34.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Nov 2024 15:34:58 -0800 (PST)
Message-ID: <0e5914c7-d3fa-443c-8099-1b5bad39a50e@redhat.com>
Date: Wed, 13 Nov 2024 00:34:56 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Hoffman <paul.hoffman@icann.org>, Wes Hardaker <wjhns1@hardakers.net>
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <DB9D1C93-95D1-4B76-AD74-4C60433D479A@icann.org> <7dd5f090-b8b7-ea5e-82f2-d622298c7299@nohats.ca> <ybl7cgejxcr.fsf@wd.hardakers.net> <4907A4B7-1EAE-460D-91E8-4F7D292C7302@icann.org> <ybl34r2jv3n.fsf@wd.hardakers.net> <0334D9C1-F066-460A-893B-C4075FD0BE07@icann.org>
Content-Language: en-US
From: Petr Menšík <pemensik@redhat.com>
Autocrypt: addr=pemensik@redhat.com; keydata= xsDNBF17vwQBDACso9gM0++XOzm/b//dGE1bgYyIch8xqCDHe2YXDUL2a65LCmNQUnS7PTxf 8psG4DdBayWlRvA/33L3YQD8gULaZX/KsHbSQov4Np4E2rG9PCljcDqHFCKjHEmmzQ86Z4+r euHoTwUpEroz2xa1XAIsy4fjqro0GHc6H3BVwXQ8Vfrmllq6tW+ubegI/tZSDDfOlnkHyMsh /mX893qn1Sb+A/RqyDDV6voAv4YfoNJyDfBB0jMshEiSLO+S0vspw42ElbAdLO6SHOX8Dy/a yPVTGDe2Jopy3YrbUWtu5HIs8X0vsKbF6tegO1l/m1y3t2Aa153k6NKOWv+79iNiY2ygGefm o1TRzlS/d+xacOxnGO3RCSlvm3xDEUuqNqrSQNF2yVRYAMwh75VWefeTu+/erXR4MGDpTTSA Ebaen0+uuiG4LGCNzZdYOyj7OMHW14e9JX4eujP0DtoJC9TWpDwHwbApbf83ZdmxxrU4yTPi 7fkXe4qkPulRFV7LOmlkAAUAEQEAAc0jUGV0ciBNZW7FocOtayA8cGVtZW5zaWtAcmVkaGF0 LmNvbT7CwRQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTfz5CNt8h+jlKZ JbxJMcpbbJ/FywUCZPHFVgUJCzhtUgAKCRBJMcpbbJ/Fy1fxC/47crKpMrPsX0LHs05fpiS+ tgemYCvezN0So0x9Wc0Otl7L4qa2y4IiCfIS6G8gNEClEuatI1xfFVMxCU+BYFw5NRXNSZj+ 2Pb4DS69lhGJoFctwJ8mPIhPOr9SDQKAYw0EPbk+nWXB4fo3cKKN/EbKD++a/lLOecajGoF1 3N27l6fyfZHxm1tM/6TSm/2QyAau6MF6k9o4gA9/VjV6PYNKehicO7CkKO820F3OazPW9iFp dsmscKOEb79xZOq/W6vTPisHreBM7oB129PZxJrhOks3F/gfxG62kAUBGezFgFqWu4IFhsnM cMBokXUd6yurRBndljG0lW/P1pIH6TIrnCYzQ8XVA4hZFhfWdlCJqcPrbaQocnKzOdaa/fe3 xQHRiHOvvRvTkBCLFYcLVqXvWcAlj8jgsCbM3lakVPBLAYDjUdTqwrnTQ+vgJtx/4OCQuGkr 6sEKUQvxl/mWrN7+ThZJQ0ITWbP1ay5MA6QGulo2PyH5nV8/A6dnjS+M6UbOwM0EXXu/BAEM AMe+2Xxem4Uzjy2MG9cT3aX7suGVCgYmJV2CACSMncqN2MC0PjxGiV37wv+Cyq9QaOF/MiuF 568YYim2Cz1RURRjDxDeslMqj+6NKwepwABPTdlGOOvnMBmH5gfBeBJuRcx+1cHVTHBpoSTi waDUg+rtyfRXZYCGqvG9fUcJzWeCkiYbqaLHzxt9sTPhAv3rE0MdGib8Igg86Txge3b55i/7 MbYGtw+lqtVoYpsV1LoqfoQgW8j0Ac1Objch34iKvbAR75z6dJ1Tg5aFJyhYCbB8NwrE31Pd aXUHyr47y3IoNXNlc0s7dg542OA6m2FkvQYgfbZlQb66J0PTAl31zvYN/G2C024DDqU1wOpV hn1RYkoc0UTAse2IdP/t2mqE4me2gZ7NrjWwFSzXlGIh08T7KxHLrGtA3Mm2I3XnPHO1ppf6 xBoeGMfESeNfoR8sGWOnYyd52CKdnp7DtJ3TlGLlafnkauwHrHnHdkJb4pkKjXKavKy/DjUG yWG74jexhwARAQABwsD8BBgBCAAmAhsMFiEE38+QjbfIfo5SmSW8STHKW2yfxcsFAmTxxYsF CQs4bYcACgkQSTHKW2yfxct9DAv/YIBB1dENrLjMhh+Y11s++p2VFeP4gxawrrXc6tXRcfXj aEvubqNTG34HIUhIIFKbl7S4HGLFhcCtLdzn6nW3e/jH6Gen2InSLHyHVUpt8U0ysSKFoTpM BgP95IWYhx2I3FtKBpjSmTx/Vwdgf1D2QBBLwEWFYazuUIVY8IxwWOlfwpN56jujdSPrcxZD HGDz5gBKy9bKaoTQT6IZXHTanTi7XVJShtWJsX9pot3dPMi+5W+mTaocEc+gnPyEKI9WoQJ/ Ow5At3mQqJ1CEaRF4BXDK0bXIzOrejHDhv4n3RSrvnFlV2e+BcbfS7uj4rYRPsjZ4nffFpog CiM0Yg6RihUbZ8h6BMghOt0F07LAV3ISpaPeVsp4F6pnFedS5NgMufiBSopSJTc8wLked9E3 PlSxMeSMfi21E/eLg024Wx2c9JdKNFrYGEkgdr+w9WBA7AMKFCIQKDAwb3vPgxO3owDNC+ka AJs6m+d2kZSDzqUdFMZLrqbp0vt3GnIF8l3Y
In-Reply-To: <0334D9C1-F066-460A-893B-C4075FD0BE07@icann.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------fxLYnbIawxO2q5YNJum0L1sL"
Message-ID-Hash: U2A5AGW5M574XSTRHKEIN7BN2DUTEMO2
X-Message-ID-Hash: U2A5AGW5M574XSTRHKEIN7BN2DUTEMO2
X-MailFrom: pemensik@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Questions before adopting must-not-sha1
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KwinIU80C32cBfD0oiFext6mtzc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hello Paul,

I am aware Red Hat is not loved for the way, how the disabling of 
RSASHA1 algorithm were handled in our products, especially Red Hat 
Enterprise Linux 9.

While primary target of our crypto people were disallowing SHA-1 usage 
in TLS channels and signatures of documents, I think they were correct 
that it affects negatively also DNSSEC.

Because similar change to RHEL9 were done also on recent Fedora 41 
release, let me share a nice public summary from them on page 
OpenSSLDistrustSHA1SigVer [1]. While this style of deployment is not 
ideal, especially because we violate a RFC by it, crypto library 
maintainers had not given us choice around that.

I would point to SHA-1 is a Shambles [2]  page, which includes more 
information about the attack.

Tony Finch has correctly identified in SHA-1 chosen prefix collisions 
and DNSSEC [3] article that when a single record is usually safe, 
multiple records might allow creating fake signature even in DNSSEC. 
While you are somehow limited for A or AAAA records length, records like 
TXT or OPENPGPKEY may contain a lot of data. You can just generate 
random garbage at appended additional record. Which does not have to be 
ascii or even have expected PGP key format. Similarly you can forge 
additional SSHFP records with any content, just to have the same 
resulting digest. That would get first correct record accepted, just 
because random appending happens.

Correct me if I am wrong, but I think RRSIG wire-format [4] does not 
include length of signed RRset data, especially not at the start. Which 
may prevent append attack on signatures.

That leads me to conclusion our crypto team were correct, SHA-1 should 
not be relied on in DNSSEC. I agree, zones still signing with SHA-1 
should upgrade ASAP. Verification of SHA1 based signatures is still 
better than nothing at all, but most implementations I have seen cannot 
do just fallback type of verification. They either verify and set AD bit 
or nothing. That is the case of bind9, unbound and dnsmasq, which can do 
validation in RHEL9.

I think relaxing from MUST validate would be better. I would propose 
adding similar formulation:

 > Implementation SHOULD validate SHA1 signatures in the validator, 
unless supported algorithm with a better strength covers the same RRset. 
In that case AD bit SHOULD NOT be set in the response.

No implementation I know can behave like this, but it would provide at 
least partial protection, which you demand.

Best Regards,
Petr
Software Engineer at Red Hat

1. 
https://fedoraproject.org/w/index.php?title=Changes/OpenSSLDistrustSHA1SigVer
2. https://sha-mbles.github.io/
3. https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html
4. https://www.rfc-editor.org/rfc/rfc4034#section-3.1

On 01/05/2024 01:50, Paul Hoffman wrote:
> On Apr 30, 2024, at 16:20, Wes Hardaker <wjhns1@hardakers.net> wrote:
>> 3. The whole discussion, IMHO, is side-stepping the real issue: if not
>> now, then when?  IE, do we never put something at MUST NOT?  Is there a
>> usage threshold?  Is it "must be zero"?  Is it "known to be broken and
>> everyone must have a flag day instead of a slower process"?
>>
>> These are not easy questions, and there does seem to be many different
>> opinions.  RedHat led the pack(ish), and maybe Paul and others will be
>> the tail end at some very late value.  There is no right or wrong, and
>> the line of people are likely to spread out along the timeline.
> Thank you for asking the question about questions. But, please, don't simplify with the phrase "MUST NOT" given that the draft has that for two different parts of the DNS: signers and resolvers.
>
> My personal feeling is that "MUST NOT sign because RedHat" is an unfortunate position for us to be in, but one that is defensible. "MUST NOT validate because of some security issue that might never happen" is not defensible, at least to me. The argument "you signing something that we know many resolvers cannot validate is actively bad for security" is defensible.
>
> Until someone can show that a reduction in collision resistance can lead to a reduction in real-world security for DNSSEC, we can wait for "MUST NOT validate", possibly forever. There is no good reason for this group to say to a zone operator who signed their zone in good faith "we are now making your zone insecure"; it's even worse for us to say to zone owners "we're forcing you to pick a different TLD if you still want to be secure".
>
> And, to be clear: I don't support waiting for a usage threshold for "MUST NOT validate". If there is any noticeable chance that an attacker can create a key or signature for a zone they don't control, that is a good enough reason to go to "MUST NOT validate" and let the resolvers decide if they want to be compliant with the new standard. But we aren't there yet, and when we are, the RFC needs to say how we got to that conclusion.
>
> --Paul Hoffman

-- 
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

v2.35.0 | Report a Bug | By Email | System Status