Re: [DNSOP] Fwd: DNSSEC algorithm used on ietf.org

Petr Menšík <pemensik@redhat.com> Wed, 23 March 2022 16:22 UTC

Return-Path: <pemensik@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D846E3A15E7 for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 09:22:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_Js-RPIC7By for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2022 09:22:19 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B36CD3A1594 for <dnsop@ietf.org>; Wed, 23 Mar 2022 09:22:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1648052537; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Zcp9GU0aHI2Hu7uHQpmOKrOIb1yYG7tjfpEfrzAU7j0=; b=Y7Hju9qV9evK/pmwF3EfLDnzY9PZyf2oL9M3kpBFhK1u0wYtdQxF0tREHmVnMWcdxou5X2 wAqAEVlk3JgXGrD943Co04sQT+jNhqzXcLLAMk+nEgelGZ8BPoxMaQeVY0j7o7Q2jHZSva YJOYqB3e/24YIbWimZAY6jcUVopmBt0=
Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-393-Mf6R6-HUMA2aUUTiKIzO6g-1; Wed, 23 Mar 2022 12:22:13 -0400
X-MC-Unique: Mf6R6-HUMA2aUUTiKIzO6g-1
Received: by mail-wm1-f72.google.com with SMTP id n19-20020a7bcbd3000000b0038c94b86258so778241wmi.2 for <dnsop@ietf.org>; Wed, 23 Mar 2022 09:22:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:references:from:organization:subject :in-reply-to; bh=Zcp9GU0aHI2Hu7uHQpmOKrOIb1yYG7tjfpEfrzAU7j0=; b=26STjZJtylR5MwjsDJt4ZHGH5gNu3/t0plQSgb7ejOVTX6lWdG4NJtW/38FtDak85O pEARmpWRgL/HsuliQ4xyVG6FBd90KQjciPFVpNyLUxU7t24QkFH4eO4i+UodlD25q4O8 cjv4C0MjZ77JXKiuHh9eshyYxQRCTTc+F7aQQEbJrXNEuAwHXRQWW3yh6+17QZIUqExB SI+mXbjeRPOft99P5sMcrKS+N//m119H5G/pV4L0hMf3Zw4VDYGuv8/J84PSlPtRl0ax md4CAHoDfk9czP/yRgIucEsHL1Scg6E1DH7TTwTvnpiMNXWbpNbR+A2cxKtkrtNcEfoa 4cEQ==
X-Gm-Message-State: AOAM53216KxcfcOHGGaEIVbGQmq2TV4qIiM70oianlxIiQu3xuCp8hC4 CDZaO+1XQa1I8fSfdou2AtKnUpdJo0hD+SeN6XHcyatc5sJRVzZUDS5cm8ReUGsDexF86KdJOMe D9YaAOB5jYCIFzZWE71vI2dM90uF1nmZUcOw0GZERRvozQN6SVO+g2vU4vQ==
X-Received: by 2002:adf:f343:0:b0:203:ee8e:7585 with SMTP id e3-20020adff343000000b00203ee8e7585mr564425wrp.107.1648052532133; Wed, 23 Mar 2022 09:22:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxlXwNJNF0Rifb/39V30l0p5wLRAmWHe4c3K/u06TdEyzaV3EtU2McflIZfoHAxwnuEZR6ntw==
X-Received: by 2002:adf:f343:0:b0:203:ee8e:7585 with SMTP id e3-20020adff343000000b00203ee8e7585mr564380wrp.107.1648052531783; Wed, 23 Mar 2022 09:22:11 -0700 (PDT)
Received: from [10.43.2.33] (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id g10-20020adfe40a000000b00203eb3551f0sm286417wrm.117.2022.03.23.09.22.11 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 23 Mar 2022 09:22:11 -0700 (PDT)
Message-ID: <899b43b9-968b-a891-ffe4-461565e8b044@redhat.com>
Date: Wed, 23 Mar 2022 17:22:10 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
To: dnsop@ietf.org
References: <f45a40c7-f265-8e39-963b-2f6434afa18c@redhat.com> <42A9E3A3-B19C-4E81-AAB6-E34F352C4889@nohats.ca>
From: Petr Menšík <pemensik@redhat.com>
Organization: Red Hat
In-Reply-To: <42A9E3A3-B19C-4E81-AAB6-E34F352C4889@nohats.ca>
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pemensik@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/alternative; boundary="------------CERuj1T6clmo6qYAqfzuaEE0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dAsBvNWJbcjGX2IH7-VRGaDieBg>
Subject: Re: [DNSOP] Fwd: DNSSEC algorithm used on ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 16:22:25 -0000

Of course no-one were ever considering making sha-1 signatures fail hard
with SERVFAIL. More below.

On 3/23/22 15:50, Paul Wouters wrote:
> This has come up before and has been relayed before. I will see about
> getting this unstuck.
>
> Btw what do you mean with “disabling”? Letting it be treated as
> insecure or throwing a sha1 crypto library error and causing a bogus
> result leading to failure to access the sites ?

Insecure only. Yes, that would lead to valid resolution of
dnssec-failed.org for example, because it is also signed only by
RSASHA-1. Might surprise someone, it did surprise me. Disabled
algorithms are tested to pass as insecure. Only dnsmasq with GOST digest
needs fixing on Fedora and RHEL, at least according to test on
rootcanary.org.

Because NSEC3 algorithm still does not have any alternative to SHA-1,
hard crypto failure would be blocker for any our DNS products. I haven't
heard about it even being considered this way.

I know it might not be best time for it yet, but it has to come someday.

>
> Paul
>
> Sent using a virtual keyboard on a phone
>
>> On Mar 23, 2022, at 15:31, Petr Menšík <pemensik@redhat.com> wrote:
>>
>>  Is this workgroup more appropriate to drive possible change? Has it
>> any means to modify ietf.org infrastructure?
>>
>> -------- Forwarded Message --------
>> Subject: 	DNSSEC algorithm used on ietf.org
>> Date: 	Wed, 23 Mar 2022 12:28:39 +0100
>> From: 	Petr Menšík <pemensik@redhat.com>
>> Organization: 	Red Hat
>> To: 	tools-discuss@ietf.org
>>
>>
>>
>> Hello,
>>
>> I work in Red Hat on DNS related products. We were analysing impact on
>> disabling algorithm RSASHA1. It is in a strange sitation, because IETF
>> itself deprecated this algorithm [1], but is using it for all documents
>> it publishes. For some reason site stats.dnssec-tools.org gives it as an
>> example [2]. It seems update of Key signing key (ksk) and algorithm
>> should be upgraded to more recent algorithm. There is also informational
>> RFC 7583 [3], which should help with it.
>>
>> Is there already plan to upgrade DNSSEC algorithm? Is there any specific
>> reason why it stayed unchanged?
>>
>> I were directed here by the support of ietf. Might be also interesting
>> topic for dnsop WG.
>>
>> Were upgrade already considered?
>>
>> Best Regards,
>> Petr Menšík
>>
>> 1. https://datatracker.ietf.org/doc/html/rfc8624#section-3
>> 2. https://stats.dnssec-tools.org/explore/
>> 3. https://datatracker.ietf.org/doc/html/rfc7583
>>
>> -- 
>> Petr Menšík
>> Software Engineer
>> Red Hat, http://www.redhat.com/
>> email: pemensik@redhat.com
>> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB