Re: [DNSOP] New Version Notification for draft-fanf-dnsop-sha-ll-not-00.txt (fwd)
Paul Wouters <paul@nohats.ca> Tue, 10 March 2020 01:42 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727423A0C82 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2020 18:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6P61BjtpYyeA for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2020 18:42:38 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BB0C3A0C7C for <dnsop@ietf.org>; Mon, 9 Mar 2020 18:42:38 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 48byWw4z64zKkc; Tue, 10 Mar 2020 02:42:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1583804556; bh=BG47Hq8U57NU2cDHtRg1CHr28w/5mZZ91QNnGFthb/0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=XVrej+JATbx536vAxs4uymgrIBwuS/FKClVlewVijDFi06wSt30MrjFzZZozOQeOf /AFHs7ye2IGhoOX7evb0XlIEHn1bDZ2PSBmGxohag0BuM+C5dFny/DG7jVHCLCX5xK 6k8y48+F+HR1ClugSmucI7QP34BYxvR9ntSkTIaw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id gZoSm2agB4zb; Tue, 10 Mar 2020 02:42:35 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 10 Mar 2020 02:42:35 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id EDDAE6020D40; Mon, 9 Mar 2020 21:42:33 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id EA2A682C66; Mon, 9 Mar 2020 21:42:33 -0400 (EDT)
Date: Mon, 09 Mar 2020 21:42:33 -0400
From: Paul Wouters <paul@nohats.ca>
To: Tony Finch <dot@dotat.at>
cc: dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.20.2003092255250.24181@grey.csi.cam.ac.uk>
Message-ID: <alpine.LRH.2.21.2003092107490.6834@bofh.nohats.ca>
References: <alpine.DEB.2.20.2003092255250.24181@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d29GRjVk7GR4hJLlrAtI28214Y4>
Subject: Re: [DNSOP] New Version Notification for draft-fanf-dnsop-sha-ll-not-00.txt (fwd)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 01:42:42 -0000
On Mon, 9 Mar 2020, Tony Finch wrote: > The aim of this is to deprecate SHA-1 algorithms 5 and 7 more vigorously. > I've put in a fairly specific timetable for sake of argument, basically to > set up the death of SHA-1 as next year's DNS "flag day", unless some > clever cryptanalysis forces it to happen sooner. As authors of RFC 8624, this is the third such proposal we have now seen :) RFC 8624 lists SHA-1 algorithms as NOT RECOMMENDED for signers and MUST for resolvers. The only real change that Ondrey and I believe is justified is for the signers to go from NOT RECOMMENDED to MUST NOT. But this draft does a lot more. The problem is nicely summarized in Section 2.4: Validating resolvers MUST treat algorithms 5 and 7 as unknown or insecure after the start of 2022, or earlier if SHA-1 becomes significantly weaker before then. Obsoleting really takes time. And the path is to first stop producing SHA1 signatures, and once that number goes down, to start discouraging consuming SHA1 signatures. If you immediately say MUST NOT for validating, you are making 2211449 + 287467 = 2.5M domains more insecure. That would be very irresponsible, and serve no real purpose. Saying "start of 2022" might be okay, but might not be okay. We don't know yet. That is why RFC 8624 does not put in specific dates. We need to push the market, but not demand unrealistic speeds. If we do that, people will simply start ignoring the RFC recommendations. The document spells out a big doom day scenario, and then in section 5.4.1 admits that, oh btw, if you don't share private keys with other zones, then you don't really have an issue. Note that the parties sharing private keys for different domains are the large scale DNS hosters, who already have no reason to still be on SHA-1. RFC 8624 says NOT RECOMMENDED for producing SHA1 signatures. It says MUST for consuming SHA1 signatures. It does so for good reasons. While we could update the document to change signing from NOT RECOMMENDED (which is really SHOULD NOT) to MUST NOT, it is a pretty light change. I am not sure if it is worth updating RFC 8624 for, but numbers are cheap so we could just do it. But what really needs to happen is that we need to reduce the number of SHA1 signatures present. We could push the signing software vendors to refuse generating new DNSKEY's KSK's that use SHA1. This might delay a KSK rollover unexpectedly, but it won't cause any outages or regressions to insecure zones. And that process already mostly involves a human interaction for an updated DS anyway. Slowing that down won't really do any harm. It would give those using SHA1 a nudge to look at doing an algorithm rollover for their new KSK instead. Similarly, we could nudge TLDs to stop accepting SHA1 based DS records, or for those TLDs that generate their own DS records, push them to no longer publish SHA1 based DS records. Which brings me to my second point, upgrading. Moving away from SHA1 involves an algorithm rollover. A lot of currently deployed signers run on software that is a few years old. For instance a few year old bind or opendnssec does not even support an algorithm rollover. I believe the main reason we still see so muc SHA1, is that people and their software are not ready to do an algorithm rollover. And if they are not ready, publishing a new RFC that mandates such a change will just be ignored. We need to work on our tools and documentation to give confidence to people that an algorithm rollover is easy And speaking for myself now (and not Ondrey), I'm a strong opponent of DNS "flag days", such as proposed in this draft by specifying a die date. Software updates take time and there will never be a single day where suddenly we live in a new world. Instead of marketing a threat to users, we should improve the tools so people are more or less automatically algorithm rolled to a new world without threats. Paul
- [DNSOP] New Version Notification for draft-fanf-d… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] New Version Notification for draft-fa… Paul Wouters
- Re: [DNSOP] [Ext] New Version Notification for dr… Tony Finch
- Re: [DNSOP] New Version Notification for draft-fa… Mark Andrews
- Re: [DNSOP] New Version Notification for draft-fa… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] [Ext] New Version Notification for dr… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Tony Finch
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Wouters
- Re: [DNSOP] [Ext] New Version Notification for dr… John Levine