IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Philip Homburg <pch-dnsop-5@u-1.phicoh.com> Thu, 02 May 2024 07:42 UTC

Return-Path: <pch-b538D2F77@u-1.phicoh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED44C14F6FF for <dnsop@ietfa.amsl.com>; Thu, 2 May 2024 00:42:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltMbOb_w4VJG for <dnsop@ietfa.amsl.com>; Thu, 2 May 2024 00:42:30 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [45.83.6.19]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A5A9C14F6E9 for <dnsop@ietf.org>; Thu, 2 May 2024 00:42:28 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1s2R59-0000MgC; Thu, 2 May 2024 09:42:19 +0200
Message-Id: <m1s2R59-0000MgC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
Cc: Peter Thomassen <peter@desec.io>
From: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Sender: pch-b538D2F77@u-1.phicoh.com
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <m1s1mGR-0000PPC@stereo.hq.phicoh.net> <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <d73fc09e-c0c4-44f2-a67d-4cf5fafa0863@desec.io>
In-reply-to: Your message of "Thu, 2 May 2024 09:21:29 +0200 ." <d73fc09e-c0c4-44f2-a67d-4cf5fafa0863@desec.io>
Date: Thu, 02 May 2024 09:42:18 +0200
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XVUKZGsKla6tWn8WGmYU422yeV0>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2024 07:42:31 -0000

In your letter dated Thu, 2 May 2024 09:21:29 +0200 you wrote:
>In my view, it's fine to disallow signing with SHA-1-based algorithms to help 
>push signers towards other algorithms. 

I appreciate the effort, but I'm curious what that means.

As far as I know, just about all zones that start signing are not using
SHA1 as part of the signature. There is not really an issue with new
installations. The affected algorithms have been marked as not recommended
for many years so we can assume that in just about any signer they are not
the default. The problem is with existing zones who probably have an
existing relationship with signer software.

The IETF is not the protocol police so it seems unlikely that signers are
going to suddenly remove all traces of SHA1 signing and leave their users
in the dark.

Worse, if signers would do that, then there is a distinct risk that people
will just use old software.

This may have the effect that new signers will not implement these
algorithms. However, that will probably be until the first customer comes
along who requests these algorithms. Adding RSA+SHA1 is trivial if you
already have RSA+SHA2.

v2.46.0 | Report a Bug | By Email | System Status