IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost

Scott Morizot <tmorizot@gmail.com> Thu, 02 May 2024 13:09 UTC

Return-Path: <tmorizot@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105C9C15154D for <dnsop@ietfa.amsl.com>; Thu, 2 May 2024 06:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b92qJUNzsO4N for <dnsop@ietfa.amsl.com>; Thu, 2 May 2024 06:09:42 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 268ACC14F69F for <dnsop@ietf.org>; Thu, 2 May 2024 06:09:42 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a524ecaf215so1022607266b.2 for <dnsop@ietf.org>; Thu, 02 May 2024 06:09:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714655380; x=1715260180; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GAP0RQdGHg63cNHYRKtZRTtxLdoY0fftR9Tw9p+1LpA=; b=jmR1efIqFB2XKNR8iOQxlEiVZZndavIGEmxK8BIUopyWIlTHRi1bTi1Swb0IU8t2be RaBLr4/V8fH3YNlbNvQLl4LX4BqOqHJJP1bDWcMF0B4G3yle2LV8lBFyplLi5M6Ealiy jx1lGoiicXFjpya6YMbtBSh1PvCmcUMg46oa/kJLrwuo5YYrLxudIVzXtp1sQA5EyEnU cR4L724qqEKvnabaWjR3cztt/b77ytCy/7kh0HT3SWSSJHMh5drlA1tlMssCSu2XzuDT M9DsF5ji6wekRmfhL4YhV/U/HgPfGdMmcsJsuayMLkQJk97NWzkQTDQ45upUEalMbxeb zB4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714655380; x=1715260180; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GAP0RQdGHg63cNHYRKtZRTtxLdoY0fftR9Tw9p+1LpA=; b=DXuiwYlrK7vvJVuqcoLGgTjdTzBen85bntxk22H7vInSRyyNz9lAER09dKYpv1cWDg mVwABuqn8x7hX+9jPByt5sNxvq2aMXRa/pnecfEo6FUdwJ1HKd1veVjfCN0RAa2hz4GP UxrecssytL2ymRDOTWAhhRJfmcU011B+xQ0sp0MuP8+fAqsYStBel2dV5QbdYOLnTA70 Tpn7WAR4Zb/uBTH4GmJurOaJ8dQcm5ndfX8lQk1bH1+Mmx2ZuET96ncEccTFyhlz5qmr 5WaRb0vEaNbf1wEJiOL4CMv2hdExhJdgk1FQkXSih/dzxtSW2sLGQ1EHn4uiGZV/CEJf mVCg==
X-Gm-Message-State: AOJu0YzGZjnDiNwbb5g0V/1J+8FLOIlFEQxst6MzW9i9N3wlhpkq3A7/ wJjWHhmDPU12eh/sIi58slUvN6GxRvhOCtjGZSu3CPnsvwWJW1qdMjWjbZp02RQGhssbMILN1ok nGvl/qIiB8GdjYh4+EuBbFuvpBQGIHJM=
X-Google-Smtp-Source: AGHT+IG9Tv/AcLwpxIHyy4wJI9HkGTLPgYOxEsqSnsHEcSkFl90bvwZRqa+FvAwZ3dygOOmi5S8tNW23pJx8Q1scbck=
X-Received: by 2002:a17:906:16c3:b0:a55:ae98:3aae with SMTP id t3-20020a17090616c300b00a55ae983aaemr1425398ejd.30.1714655380008; Thu, 02 May 2024 06:09:40 -0700 (PDT)
MIME-Version: 1.0
References: <m1s2Rwm-0000MGC@stereo.hq.phicoh.net> <20240502114353.BDF8189EEF4F@ary.local>
In-Reply-To: <20240502114353.BDF8189EEF4F@ary.local>
From: Scott Morizot <tmorizot@gmail.com>
Date: Thu, 02 May 2024 08:09:21 -0500
Message-ID: <CAFy81rkuhKajC6-A-+P8bCZM30aJ7_g12csc77wyU5m4KukvBA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d6798406177850dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yMWHxrOm41FnzmzInKnusXCX6vM>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hardaker-dnsop-rfc8624-bis, must-not-sha1, must-not-ecc-gost
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2024 13:09:46 -0000

On Thu, May 2, 2024 at 6:44 AM John Levine <johnl@taugh.com> wrote:

> It appears that Philip Homburg  <pch-dnsop-5@u-1.phicoh.com> said:
> >In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote:
> >>I'm not following what breaks based on the wording I suggested, and I'm
> not su
> >>re why you keep bringing that up. :-)
> >
> >Then an RFC gets published that signers MUST NOT support signing using
> SHA1,
> >so ldns removes those algorithms. Then a software update brings the new
> >version of ldns my system. Now an unsigned zone gets deployed, ....
>
> On the other hand, if it issued annoying warning messages every time it
> used a SHA1 key, I'd eventually notice and probably rotate the keys.
>
> I'm with Peter, I do not see a MUST NOT as requiring vendors or operators
> to do stupid stuff.
>

A MUST NOT in RFC 8624 directs implementations to remove their
implementation of an algorithm. The current NOT RECOMMENDED is the
appropriate recommendation, according to the text of an RFC, for an
implementation to issue a warning that the algorithm is deprecated and
should not be used for signing. Here's the description of the intent in the
deprecation process outlined in RFC 8624. It seems to me this discussion
has strayed from that core process to various perspectives about whether or
not SHA-1 remains "secure enough".

  "It is expected that deprecation of an algorithm will be performed
   gradually in a series of updates to this document.  This provides
   time for various implementations to update their implemented
   algorithms while remaining interoperable.  Unless there are strong
   security reasons, an algorithm is expected to be downgraded from MUST
   to NOT RECOMMENDED or MAY, instead of to MUST NOT.  Similarly, an
   algorithm that has not been mentioned as mandatory-to-implement is
   expected to be introduced with a RECOMMENDED instead of a MUST.

   Since the effect of using an unknown DNSKEY algorithm is that the
   zone is treated as insecure, it is recommended that algorithms
   downgraded to NOT RECOMMENDED or lower not be used by authoritative
   nameservers and DNSSEC signers to create new DNSKEYs.  This will
   allow for deprecated algorithms to become less and less common over
   time.  Once an algorithm has reached a sufficiently low level of
   deployment, it can be marked as MUST NOT so that recursive resolvers
   can remove support for validating it.

   Recursive nameservers are encouraged to retain support for all
   algorithms not marked as MUST NOT."

I have seen absolutely no "strong security reasons" presented in this
discussion for altering that deprecation model when it comes to DNSSEC
algorithms 5 and 7. (I would consider 5 less widely deployed, but since the
only difference between the two is support for NSEC3 I don't see a reason
to treat them differently.) Algorithm 7 remains widely used and by zones
most people would consider significant. In the US, for instance, that
includes cdc.gov. Moreover, as others have pointed out, the following
assertion in the draft is factually wrong. I'm not going to support a
standards document that can't even accurately state facts.

"This document retires the use of SHA-1 within DNSSEC."

Well, no. It doesn't. NSEC3 will continue to require SHA-1 until such time
as that standard is also changed. The draft instructs implementations to no
longer support algorithms 5 and 7 for both signing and validation and by
changing both to MUST NOT at the same time it contravenes the deprecation
model outlined in RFC 8624 without providing any justification beyond some
security hand-waving.

RFC 8624 provides the correct guidance to implementations for the current
state of use for algorithms 5 and 7. There are no "strong security reasons"
for deviating from the deprecation model outlined in the RFC. "NOT
RECOMMENDED" for signing means the same as "SHOULD NOT". (That's also
included with the RFC reference in the text of RFC 8624.) That seems
appropriate for signing implementations to issue warnings that the
algorithms are deprecated for signing if they choose. The guidance for
support in validators is not supposed to move to MUST NOT until an
algorithm has reached a low enough level of deployment. I don't see how
anyone can reasonably argue that is the case today for algorithm 7.

In my opinion, this draft should not move forward.

Scott

v2.31.3 | Report a Bug | By Email | System Status