IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Mark Andrews <marka@isc.org> Tue, 30 April 2024 14:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC57DC14F6A1 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Zhm+gFeL"; dkim=pass (1024-bit key) header.d=isc.org header.b="ldz/VepF"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Njshax1KQAHl for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:41:14 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5F6C14F691 for <dnsop@ietf.org>; Tue, 30 Apr 2024 07:41:13 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id EEB073AB01C; Tue, 30 Apr 2024 14:41:12 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org EEB073AB01C
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714488073; cv=none; b=OKtjqP/e3TLpDdKColUzJ/CmbfmXvcXKrJnWX21SfdVOtLBqBbbjzi4CaJsnxN6jVqfjEBn3NdQcre55Ekzlpb5HOrXb48DL5TJBP8FqNbZo1dpcDMYwDyh3n+nX3yd0Xse5P11dBj6AT/AHomliU+T194D4P1dKSSIMoR1uyCM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714488073; c=relaxed/relaxed; bh=CkZwNidvLDGBzBeMd7/8B7jZCZfRwTv4Pq9cE19IpDM=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=rYgcqpTIr1Gz1SrKIAuxO47zHFGKRuFvI43EMqhKi6noZjS8+toPa4jxgOh6QXzSEEAL1l23tdZHOOuEV2EJeKHUHiCybXJRDAcRomodLMqXrJQHv1D2QWpWbWW9G0nn11C714ewyqdL0D/VXvzre7V7fCnV4PsyRqk2EJ66A04=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org EEB073AB01C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1714488073; bh=CkZwNidvLDGBzBeMd7/8B7jZCZfRwTv4Pq9cE19IpDM=; h=Subject:From:In-Reply-To:Cc:Date:References:To; b=Zhm+gFeL1uQb76dJAoZB+QfE1NOZhIajInz+YUql7LAB/M1NCRsvLXplhUPIiuOvF 9+UNbfwgNs93YV3Ni1nLANvDZO8fkta/D+y895y3iEwBVX6mSabGIyWjFWcm9utKM5 rOrrjk7XhHnchKuINUj76zNwQc96y/P7g9kGH3mQ=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id E97551127B7C; Tue, 30 Apr 2024 14:41:12 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id C729E112808E; Tue, 30 Apr 2024 14:41:12 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org C729E112808E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1714488072; bh=CkZwNidvLDGBzBeMd7/8B7jZCZfRwTv4Pq9cE19IpDM=; h=Mime-Version:From:Date:Message-Id:To; b=ldz/VepFTBnU/Iqh0rdaSkRifzHgb9/dek4DpmNMNzamTg5Q4Kv0lKxCKhApe1Q+9 Y6Opm+E9uvLzoj2nXicMFcReLTdMaZP41AAy/ket5bbvGOLIsWn8C3T7wGzKJUha02 oIKVN6QlGpX/72Y1JOehN8f20eoryAdIwuJnjWKw=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id se77Xn2j8cD1; Tue, 30 Apr 2024 14:41:12 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 8CC9A1127B7C; Tue, 30 Apr 2024 14:41:12 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Mark Andrews <marka@isc.org>
In-Reply-To: <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca>
Cc: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
Date: Wed, 01 May 2024 00:41:08 +1000
Message-Id: <899D42FA-5E94-4077-B5E3-719220EB9235@isc.org>
References: <fbce2996-346f-29fa-3534-45eaa142b96e@nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (19H384)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cO0dhbJJ8Km9XLtVVUgZ3P11rSs>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 14:41:18 -0000

One got servfail because validators where not aware that support was ripped away underneath it. Validators started to get errors that where totally unexpected. Performing runtime testing of algorithm support addressed that by allowing the validator to skip the unsupported algorithm. 
-- 
Mark Andrews

> On 1 May 2024, at 00:04, Paul Wouters <paul@nohats.ca> wrote:
> On Tue, 30 Apr 2024, Philip Homburg wrote:
> 
>>> The advise is split between producing SHA1 signatures and consuming SHA1
>>> signatures, and those timings do not have to be identical.
>>> That said, a number of OSes have already forced the issue by failing
>>> SHA1 as cryptographic operation (RHEL, CentOS, Fedora, maybe more). So
>>> right now, if you run DNSSEC with SHA1 (which includes NSEC3 using
>>> SHA1), your validator might already return it as an insecure zone.
>>> I think a MUST NOT for signing with SHA1 is a no-brainer. The timing for
>>> MAY on validation should be relatively short (eg 0-2 years?)
>> 
>> What worries me about the draft is the security section. I can understand
>> the desire to get rid of old crypto, but as far as I can tell
>> this draft will mostly decrease security.
> 
> It will also prevent ServFails when the system crypto SHA1 for
> authentication and signature purposes is blocked, and the DNS software
> sees this as a failure and returns BOGUS. I am not sure how many DNS
> implementations are now probing SHA1 and on failure put it in the
> "unsupported algorithm" class, to serve it as insecure instead of bogus.
> 
> This issue did hit RHEL,CentOS, Fedora.
> 
>> We can accept as given that it is easy to find collisions for SHA1. However,
>> a second pre-image attack is way off in the future.
> 
> I'm not too concerned about that.
> 
>> Looking at the signer part, this is not great either. Moving away from SHA1
>> requires an algorithm roll-over. DNSSEC is already quite fragile and algorithm
>> rolls are worse. So there is a failure risk that is too big ignore.
> 
> Yes, this fragility is why there are still zones using SHA1 at all. But
> I think software and DNS services have no matured to the point where it
> is save to do. Eg bind, opendnssec, knot.
> 
>> This draft requires zones that do not have a collision risk to move to a
>> different algorithm, at a significant risk, but there is no increase in
>> security. So that part is also a net negative for security.
> 
> Staying at SHA1 incurs the above risk of SHA1 leading to Bogus/ServFail.
> 
>> So it seems that we are asked to adopt a draft that will mostly reduce
>> security, not increase it.
> 
> It prevents zone outages.
> 
>> There might be other arguments for adopting the draft, such a Redhat not
>> validating signatures with SHA1 anymore. But those arguments are not
>> mentioned in the draft.
> 
> I guess these considerations can be added to the draft if the WG wants?
> 
>> And if some companies from one country want to shoot themselves in the foot,
>> does the rest of the world have to follow?
> 
> The IETF and its cryptographic policies are a careful interworking
> between market forces, reality and desire. Moving to fast leads to RFCs
> being ignored. Moving too slow means RFCs do not encourage
> modernization. Every other protocol has left SHA1 behind. It's time for
> DNS to follow suit. It's had its "exemption" for a few years already.
> 
> Paul
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.34.0 | Report a Bug | By Email | System Status