IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Paul Wouters <paul@nohats.ca> Tue, 30 April 2024 14:43 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D188C14F617 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.73
X-Spam-Level:
X-Spam-Status: No, score=-3.73 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFaW0P6p9KBA for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:43:50 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F253DC14F6A1 for <dnsop@ietf.org>; Tue, 30 Apr 2024 07:43:49 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4VTNHQ4Qfpz5T4; Tue, 30 Apr 2024 16:43:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1714488226; bh=O2w6iNrklae79+fPsACnHh+XC8MDJd8cEjmYBmggxtE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=uobNuI7CgXNH2xxmyJ+Sb8rwaA2avJ6U2LifpvH3ed1/c++A+WTT0/wJVU607I0zP q3hrOCZazbaBQSOk0GeIIQaWAf4mKy+wFAis4+evL/T4YB1fgdZvzkcqvEgpRhDV1X KaY+ARDmQF0i6A6XIismHsFM3iPGMPIyMwFERCpw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id XL2dIPia9NdD; Tue, 30 Apr 2024 16:43:45 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 30 Apr 2024 16:43:45 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C249511DE539; Tue, 30 Apr 2024 10:43:44 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id BEF3711DE538; Tue, 30 Apr 2024 10:43:44 -0400 (EDT)
Date: Tue, 30 Apr 2024 10:43:44 -0400
From: Paul Wouters <paul@nohats.ca>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
cc: dnsop@ietf.org
In-Reply-To: <m1s1oHu-0000LZC@stereo.hq.phicoh.net>
Message-ID: <0a9a6466-0e66-8c1c-2133-34da5eb52812@nohats.ca>
References: <D95A2D1F-1203-4434-B643-DDFB5C24A161@icann.org> <67B93EF4-6B70-402E-9D78-1A079538CA18@strandkip.nl> <m1s1Wur-0000LDC@stereo.hq.phicoh.net> <f0f9c0ce-2911-9b4c-0d60-47c204add2d4@nohats.ca> <m1s1mGR-0000PPC@stereo.hq.phicoh.net> <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca> <m1s1oHu-0000LZC@stereo.hq.phicoh.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XopFnthm0nFWrJ_z1tJYUoBwxrU>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 14:43:54 -0000

On Tue, 30 Apr 2024, Philip Homburg wrote:

> So what happens instead is that software is patched to return insecure if
> SHA1 is not avaiable for signing and that is of course very risky.

has been patched, yes. The problem arguably is that DNS moved WAY slower
that the industry as a whole to get rid of SHA1. You can blame the
industry, but honestly, DNS(SEC) is the outlier here.

> So it seems that one company is trying set policy.

Entities stating to not use SHA1 for cryptographic purposes:

- FIPS
- PCI-DSS
- BSI
- OWASP
- SOC2
- PKI-industry & CAB/Forum
- TLS, IPsec/IKE, OpenPGP, SMIME, et all at IETF.
- All the cryptographers including CFRG


> Given that for a large number of zones, SHA1 does not pose a security risk,
> there is no 'too slow'.

"too slow" is literally what caused this, as the cryptographic libraries
and OSes prepared for more centralized OS control and disabling of SHA1
for cryptographic purposes throughout the entire OS.

> There is a general move to EC for signatures and that solves the SHA1
> issue as well. For zones that are currently secure, just let them be
> secure.

They are not guaranteed secure. For some these are insecure already. And
endusers or zoneowners might not even be aware of this.

> And let Redhat ship broken products if they want.

I was still at Red Hat when this originally happened, and the DNS
software was not prepaered for this. I tried to talk to everyone
involved to contain the damage. DNS software got updated. But that
was FIVE YEARS ago. I can't believe we are still having a discussion
to keep allowing SHA1 five years after the damage started to show.
That is a DNS problem, and this draft is the proper way for IETF to
signal to people to move away from SHA1. It's the most the IETF can
do and it is already damn little.

Your proposed alternative seems to be to do nothing, which is clearly
ignoring the market and blaming the frontrunner within that market.

Paul

v2.34.0 | Report a Bug | By Email | System Status