IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Mark Andrews <marka@isc.org> Tue, 30 April 2024 14:54 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56048C14F6AF for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:54:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="WLKf6hq2"; dkim=pass (1024-bit key) header.d=isc.org header.b="IdY0NQOB"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuT-MtLuH-eT for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2024 07:54:34 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21F24C14F6B2 for <dnsop@ietf.org>; Tue, 30 Apr 2024 07:54:20 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 24B593AB01C; Tue, 30 Apr 2024 14:54:20 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 24B593AB01C
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714488860; cv=none; b=itvhR5Oc155LqzaokwFVlZoiJzSXgaVNA17KNkDukvTzCviS9eWKud6o+hQTvJAIOe6rE5pkpDP+MGUP98uR62Cc8neG8GRhPpzfwArVmz9ndmXbd2IbC0u2OGijkBBB/VRoI/5HZwjj9NFyOmLbWsKxomkstX6f/oYRo357q7c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1714488860; c=relaxed/relaxed; bh=UPC7bJrMi/NghZ0S82f8QOurNG2FwF3SaYj2BKzG9Gk=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=Z6G3U5aKSUEV223vwDjzye6ZAw1L2AcenWTKVhj3abQcdsqQU7op5wNAMzJM4DrwqFN/07qkm+5fmquvZiecc9CTA8lhzWxgMVwvTNCd9E3WrNkde72nbxGqobu4eZGG0ZSvyiHK7imddDhhjtuplGcvmj0wkiK/12kGRa46oto=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 24B593AB01C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1714488860; bh=oyZChjfQG/jkUSZ/aMbOOuyGDTXMfG0i72Tmg/EST9w=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=WLKf6hq2MPV4aFdAC2ARCeSSKVZtGBiBm82sQ6UMHBtTWu5x4P8Z5/gx3KnZDSqI+ hSO1JNp9wYNrAuZ5CAqigzcJdj/K97K1SVQweNkNsElhsuHDQB6GixHn78z+jsd2eQ NT3nxCDeJAFYqEP6nBqCpoWAEkmR8p69xRqQGxCU=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 1F53F1128145; Tue, 30 Apr 2024 14:54:20 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id F270D1128167; Tue, 30 Apr 2024 14:54:19 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org F270D1128167
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1714488860; bh=UPC7bJrMi/NghZ0S82f8QOurNG2FwF3SaYj2BKzG9Gk=; h=From:Mime-Version:Date:Message-Id:To; b=IdY0NQOBFPvc/H7dJovzCufvdExBhGs4AS9sZEW6zlcGfLsllD/5jcaGepMq3YRsy n/G722fBg4TKI97TBoARXa2C6KhAoBHGPUSWCEIzfPmB2Om4vHA8lpYXoJUiZs4ShA W10hoWNBzAxbNtuOC12qbejE4pzKRE6In5AbVbpM=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id zCSDSIXERMzp; Tue, 30 Apr 2024 14:54:19 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id B6FFB1128145; Tue, 30 Apr 2024 14:54:19 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 01 May 2024 00:54:16 +1000
Message-Id: <4808CAF9-D61F-400D-9107-5C745E739A2A@isc.org>
References: <899D42FA-5E94-4077-B5E3-719220EB9235@isc.org>
Cc: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, dnsop@ietf.org
In-Reply-To: <899D42FA-5E94-4077-B5E3-719220EB9235@isc.org>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (19H384)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cUYZiYDtyh5h8ynMBzm0dIal7Mo>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2024 14:54:39 -0000

The validators where not returning BOGUS.  They where returning unknown error. Both errors  resulted in servfail. 

Once we knew what RH had done one could go from compile time testing of support to runtime testing of support. 

The DNSSEC RFC’s already told developers how to handle this.  RSASHA1 is just treated as any other unsupported algorithm if there is not runtime support. Unfortunately there isn’t an easy test. You have to attempt to verify a known good signature. 
-- 
Mark Andrews

> On 1 May 2024, at 00:41, Mark Andrews <marka@isc.org> wrote:
> 
> One got servfail because validators where not aware that support was ripped away underneath it. Validators started to get errors that where totally unexpected. Performing runtime testing of algorithm support addressed that by allowing the validator to skip the unsupported algorithm. 
> -- 
> Mark Andrews
> 
>> On 1 May 2024, at 00:04, Paul Wouters <paul@nohats.ca> wrote:
>> On Tue, 30 Apr 2024, Philip Homburg wrote:
>> 
>>>> The advise is split between producing SHA1 signatures and consuming SHA1
>>>> signatures, and those timings do not have to be identical.
>>>> That said, a number of OSes have already forced the issue by failing
>>>> SHA1 as cryptographic operation (RHEL, CentOS, Fedora, maybe more). So
>>>> right now, if you run DNSSEC with SHA1 (which includes NSEC3 using
>>>> SHA1), your validator might already return it as an insecure zone.
>>>> I think a MUST NOT for signing with SHA1 is a no-brainer. The timing for
>>>> MAY on validation should be relatively short (eg 0-2 years?)
>>> 
>>> What worries me about the draft is the security section. I can understand
>>> the desire to get rid of old crypto, but as far as I can tell
>>> this draft will mostly decrease security.
>> 
>> It will also prevent ServFails when the system crypto SHA1 for
>> authentication and signature purposes is blocked, and the DNS software
>> sees this as a failure and returns BOGUS. I am not sure how many DNS
>> implementations are now probing SHA1 and on failure put it in the
>> "unsupported algorithm" class, to serve it as insecure instead of bogus.
>> 
>> This issue did hit RHEL,CentOS, Fedora.
>> 
>>> We can accept as given that it is easy to find collisions for SHA1. However,
>>> a second pre-image attack is way off in the future.
>> 
>> I'm not too concerned about that.
>> 
>>> Looking at the signer part, this is not great either. Moving away from SHA1
>>> requires an algorithm roll-over. DNSSEC is already quite fragile and algorithm
>>> rolls are worse. So there is a failure risk that is too big ignore.
>> 
>> Yes, this fragility is why there are still zones using SHA1 at all. But
>> I think software and DNS services have no matured to the point where it
>> is save to do. Eg bind, opendnssec, knot.
>> 
>>> This draft requires zones that do not have a collision risk to move to a
>>> different algorithm, at a significant risk, but there is no increase in
>>> security. So that part is also a net negative for security.
>> 
>> Staying at SHA1 incurs the above risk of SHA1 leading to Bogus/ServFail.
>> 
>>> So it seems that we are asked to adopt a draft that will mostly reduce
>>> security, not increase it.
>> 
>> It prevents zone outages.
>> 
>>> There might be other arguments for adopting the draft, such a Redhat not
>>> validating signatures with SHA1 anymore. But those arguments are not
>>> mentioned in the draft.
>> 
>> I guess these considerations can be added to the draft if the WG wants?
>> 
>>> And if some companies from one country want to shoot themselves in the foot,
>>> does the rest of the world have to follow?
>> 
>> The IETF and its cryptographic policies are a careful interworking
>> between market forces, reality and desire. Moving to fast leads to RFCs
>> being ignored. Moving too slow means RFCs do not encourage
>> modernization. Every other protocol has left SHA1 behind. It's time for
>> DNS to follow suit. It's had its "exemption" for a few years already.
>> 
>> Paul
>> 
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop

v2.34.0 | Report a Bug | By Email | System Status