IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-fanf-dnsop-sha-ll-not-00.txt (fwd)

Paul Wouters <paul@nohats.ca> Tue, 10 March 2020 01:42 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727423A0C82 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2020 18:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6P61BjtpYyeA for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2020 18:42:38 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BB0C3A0C7C for <dnsop@ietf.org>; Mon, 9 Mar 2020 18:42:38 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 48byWw4z64zKkc; Tue, 10 Mar 2020 02:42:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1583804556; bh=BG47Hq8U57NU2cDHtRg1CHr28w/5mZZ91QNnGFthb/0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=XVrej+JATbx536vAxs4uymgrIBwuS/FKClVlewVijDFi06wSt30MrjFzZZozOQeOf /AFHs7ye2IGhoOX7evb0XlIEHn1bDZ2PSBmGxohag0BuM+C5dFny/DG7jVHCLCX5xK 6k8y48+F+HR1ClugSmucI7QP34BYxvR9ntSkTIaw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id gZoSm2agB4zb; Tue, 10 Mar 2020 02:42:35 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 10 Mar 2020 02:42:35 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id EDDAE6020D40; Mon, 9 Mar 2020 21:42:33 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id EA2A682C66; Mon, 9 Mar 2020 21:42:33 -0400 (EDT)
Date: Mon, 09 Mar 2020 21:42:33 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tony Finch <dot@dotat.at>
cc: dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.20.2003092255250.24181@grey.csi.cam.ac.uk>
Message-ID: <alpine.LRH.2.21.2003092107490.6834@bofh.nohats.ca>
References: <alpine.DEB.2.20.2003092255250.24181@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d29GRjVk7GR4hJLlrAtI28214Y4>
Subject: Re: [DNSOP] New Version Notification for draft-fanf-dnsop-sha-ll-not-00.txt (fwd)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 01:42:42 -0000

On Mon, 9 Mar 2020, Tony Finch wrote:

> The aim of this is to deprecate SHA-1 algorithms 5 and 7 more vigorously.
> I've put in a fairly specific timetable for sake of argument, basically to
> set up the death of SHA-1 as next year's DNS "flag day", unless some
> clever cryptanalysis forces it to happen sooner.

As authors of RFC 8624, this is the third such proposal we have now seen :)

RFC 8624 lists SHA-1 algorithms as NOT RECOMMENDED for signers and MUST
for resolvers. The only real change that Ondrey and I believe is
justified is for the signers to go from NOT RECOMMENDED to MUST NOT.

But this draft does a lot more.

The problem is nicely summarized in Section 2.4:

    Validating resolvers MUST treat algorithms 5 and 7 as unknown or
    insecure after the start of 2022, or earlier if SHA-1 becomes
    significantly weaker before then.

Obsoleting really takes time. And the path is to first stop producing
SHA1 signatures, and once that number goes down, to start discouraging
consuming SHA1 signatures. If you immediately say MUST NOT for validating,
you are making 2211449 + 287467 = 2.5M domains more insecure. That would
be very irresponsible, and serve no real purpose. Saying "start of 2022"
might be okay, but might not be okay. We don't know yet. That is why RFC
8624 does not put in specific dates. We need to push the market, but
not demand unrealistic speeds. If we do that, people will simply start
ignoring the RFC recommendations.

The document spells out a big doom day scenario, and then in section
5.4.1 admits that, oh btw, if you don't share private keys with other
zones, then you don't really have an issue. Note that the parties
sharing private keys for different domains are the large scale DNS
hosters, who already have no reason to still be on SHA-1.

RFC 8624 says NOT RECOMMENDED for producing SHA1 signatures. It says
MUST for consuming SHA1 signatures. It does so for good reasons. While
we could update the document to change signing from NOT RECOMMENDED
(which is really SHOULD NOT) to MUST NOT, it is a pretty light change. I
am not sure if it is worth updating RFC 8624 for, but numbers are cheap
so we could just do it.

But what really needs to happen is that we need to reduce the number of
SHA1 signatures present. We could push the signing software vendors to
refuse generating new DNSKEY's KSK's that use SHA1. This might delay a
KSK rollover unexpectedly, but it won't cause any outages or regressions
to insecure zones. And that process already mostly involves a human
interaction for an updated DS anyway. Slowing that down won't really
do any harm. It would give those using SHA1 a nudge to look at doing an
algorithm rollover for their new KSK instead. Similarly, we could nudge
TLDs to stop accepting SHA1 based DS records, or for those TLDs that
generate their own DS records, push them to no longer publish SHA1
based DS records.

Which brings me to my second point, upgrading. Moving away from SHA1
involves an algorithm rollover. A lot of currently deployed signers run
on software that is a few years old. For instance a few year old bind or
opendnssec does not even support an algorithm rollover. I believe the
main reason we still see so muc SHA1, is that people and their software
are not ready to do an algorithm rollover. And if they are not ready,
publishing a new RFC that mandates such a change will just be ignored.
We need to work on our tools and documentation to give confidence to
people that an algorithm rollover is easy

And speaking for myself now (and not Ondrey), I'm a strong opponent
of DNS "flag days", such as proposed in this draft by specifying a
die date. Software updates take time and there will never be a single
day where suddenly we live in a new world. Instead of marketing a
threat to users, we should improve the tools so people are more or less
automatically algorithm rolled to a new world without threats.

Paul

v2.23.0 | Report a Bug | By Email