IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Mark Andrews <marka@isc.org> Tue, 30 April 2024 15:01 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E058C14CE29 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 08:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="ZSqkuySl"; dkim=pass (1024-bit key) header.d=isc.org header.b="O36ITtbC"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzGFGGSo3_A2 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 08:01:15 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E602C14F619 for <dnsop@ietf.org>; Tue, 30 Apr 2024 08:01:15 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 30F973AB235; Tue, 30 Apr 2024 15:01:15 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 30F973AB235
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714489275; cv=none; b=eLt91kipwjIlYkD8E0AxeAIo7mOWTSyNhSPv9AlGMxoc+BFaBQj6Yf44KdloYOGxHjmJxxblt8Copy60uvxTjrpLZXx+UOL+PGxpLKQBIPH9ugWYH/Gw6eWs4w/c0TllqI6eqDe7isvcWvhU0IfOvQfRp0RLei8DkEXX0b+3umA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714489275; c=relaxed/relaxed; bh=3Akr/3asvzu+E3iAC9Vh3Kz9iNQ9FKUM7J62OnlFmb8=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=HdYdHbNXY5fagJPPhhpwu85vCytyaaiHSHUugkYAa58N13xjzHixnJvv5ZGPL8cEfHhrVpcRDSTtnymcePF6eNWIasohFq2UYwMGeTZeJbRCnmxwI+hkCpHc9b5p3mADSRE2xJEbeebw8uIBAgEXe7nyz8R9r+yrcoY2Q2KFd54=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 30F973AB235
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1714489275; bh=Uq+lGn8EFb2KvQr9hFjpeQZr+xlSPTaVsgsugfw8QQg=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=ZSqkuySlVx8pe9zlxY0wZ8aAYTLP6pboRIjmZfEzSwSaO5Vgdwxj73Hfzw67PSkD5 3XzZYHskyqN3V5+YVQOQBqVhZFMHV9TSJw7lfhTcLLGFgr28XbFdFWphE7UxvTGOGB hDtSGUAqP5MlXvU2bFrEZUtRnUXahwJRWeIA3ECs=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 2B40D112821D; Tue, 30 Apr 2024 15:01:15 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 094B5112821C; Tue, 30 Apr 2024 15:01:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 094B5112821C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1714489275; bh=3Akr/3asvzu+E3iAC9Vh3Kz9iNQ9FKUM7J62OnlFmb8=; h=From:Mime-Version:Date:Message-Id:To; b=O36ITtbCcy9nlnygGQwSANy0tVMZRCWiYJOoi+026GDZRg/4abwUIFagvhf3nkIrc siHJ3PnTy7H4VN1y0RAvjSKEdcUpD618Xvhze0ZvfcSitaeLU7Sd0L66SNXLlpTIf6 lsa5/vNs+O7CdoOmBxrz0RVBCGHxkHMR+Y6mxmNg=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id sImQDAki3qFe; Tue, 30 Apr 2024 15:01:14 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id BF50B112821D; Tue, 30 Apr 2024 15:01:14 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 01 May 2024 01:01:11 +1000
Message-Id: <21366F83-1B6E-441B-AC65-9155257D08D5@isc.org>
References: <1bcb5629-32e2-4653-157a-2d7330568525@nohats.ca>
Cc: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
In-Reply-To: <1bcb5629-32e2-4653-157a-2d7330568525@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (19H384)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/S3wOBRhdN8hMbG5yRbm6PyB2iGg>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 15:01:19 -0000

And that doesn’t fail in RH with the tighter crypto.   

-- 
Mark Andrews

> On 1 May 2024, at 00:46, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Wed, 1 May 2024, Mark Andrews wrote:
> 
>> One got servfail because validators where not aware that support was ripped away underneath it. Validators started to get errors that where totally unexpected. Performing runtime testing of algorithm support addressed that by allowing the validator to skip the unsupported algorithm.
> 
> The runtime check for SHA1 helped put RSA-SHA1 / NSEC3-RSA-SHA1 into the "unsupported" category, but RSA-SHA256 with NSEC3 still uses SHA1
> for hashing the QNAME, and while not cryptogrpahic use, still had
> problems in practise. I don't remember the full details, but I think
> it related to wildcard proofs of non-existence of some kind, leading
> to validation failures.
> 
> Paul

v2.35.0 | Report a Bug | By Email | System Status