Re: [DNSOP] SHA-1 DS algo in arpa. :)
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 09 September 2021 20:09 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CAAC3A14CB for <dnsop@ietfa.amsl.com>; Thu, 9 Sep 2021 13:09:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EiHnKkQ_lQZB for <dnsop@ietfa.amsl.com>; Thu, 9 Sep 2021 13:08:55 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6374D3A1497 for <dnsop@ietf.org>; Thu, 9 Sep 2021 13:08:55 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E31BBBB1CD; Thu, 9 Sep 2021 16:08:53 -0400 (EDT)
Date: Thu, 09 Sep 2021 16:08:53 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <YTpp1RilpQ4zvzRD@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <262ce7f3-fb31-172d-e920-629da9c1e681@nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <262ce7f3-fb31-172d-e920-629da9c1e681@nohats.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sKCY-LAeOpi_xdSUH5IBsjhxKfI>
Subject: Re: [DNSOP] SHA-1 DS algo in arpa. :)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Sep 2021 20:09:04 -0000
On Thu, Sep 09, 2021 at 11:28:04AM -0400, Paul Wouters wrote: > Looks like for arpa., the DS records are: > > arpa. 27247 IN DS 42581 8 1 778606D9623F843F156E7D11ACBF815EB67AB516 > arpa. 27247 IN DS 42581 8 2 F28391C1ED4DC0F151EDD251A3103DCE0B9A5A251ACF6E24073771D7 1F3C40F9 > > Per our own recommendations, we should probanly ask for the SHA-1 record to be removed :) Speaking of dogfood consumption, a year ago (Sep 2020) Wes and I reached out to AMSL, suggesting algorithm rollovers to avoid use of deprecated code points by ietf.org: https://stats.dnssec-tools.org/explore/?ietf.org The discussion also included Robert Sparks, Russ Housley and Jay Daley. This ultimately stalled around questions of providing detailed guidance to AMSL on the rollover logistics, and IIRC Wes suggested that perhaps the right risk/reward tradeoff is for ietf.org to temporarily (a few days) go unsigned and then deploy new keys with algorithm 13 or 8. This too should probably be addressed, between AMSL and the relevant interested parties... -- Viktor.
- [DNSOP] SHA-1 DS algo in arpa. :) Paul Wouters
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Paul Hoffman
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Paul Wouters
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Joe Abley
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Suzanne Woolf
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Warren Kumari
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Warren Kumari
- Re: [DNSOP] SHA-1 DS algo in arpa. :) Viktor Dukhovni
- Re: [DNSOP] [Ext] SHA-1 DS algo in arpa. :) Wes Hardaker