DNSSec mess with SHA1

Wolfgang Riedel Wolfgang.Riedel at f1-consult.com
Wed Dec 20 17:17:40 UTC 2023 

Hi Folks,

Many thanks for you feedback and insights.

I didn’t wanted to say that this is an ISC issue or something I expected someone to fix.
I just wanted to get your opinions and maybe provide a solution as I am not the only one facing that challenge ;-)

Yes, it may be a distribution packing or installation issue outside of BIND but nevertheless it’s impacting DNS resolution in a negative way.

Anyway, the easy solution to get it working without creating DNSSEC exceptions lists is:

update-crypto-policies --set LEGACY

… but I still think the right way would be getting people signing their zones with ED25519 or ED448 as mentioned by Scott.


 The following table lists the implementation recommendations for DNSKEY algorithms [DNSKEY-IANA].

   +--------+--------------------+-----------------+-------------------+
   | Number | Mnemonics          | DNSSEC Signing  | DNSSEC Validation |
   +--------+--------------------+-----------------+-------------------+
   | 1      | RSAMD5             | MUST NOT        | MUST NOT          |
   | 3      | DSA                | MUST NOT        | MUST NOT          |
   | 5      | RSASHA1            | NOT RECOMMENDED | MUST              |
   | 6      | DSA-NSEC3-SHA1     | MUST NOT        | MUST NOT          |
   | 7      | RSASHA1-NSEC3-SHA1 | NOT RECOMMENDED | MUST              |
   | 8      | RSASHA256          | MUST            | MUST              |
   | 10     | RSASHA512          | NOT RECOMMENDED | MUST              |
   | 12     | ECC-GOST           | MUST NOT        | MAY               |
   | 13     | ECDSAP256SHA256    | MUST            | MUST              |
   | 14     | ECDSAP384SHA384    | MAY             | RECOMMENDED       |
   | 15     | ED25519            | RECOMMENDED     | RECOMMENDED       |
   | 16     | ED448              | MAY             | RECOMMENDED       |
   +--------+--------------------+-----------------+-------------------+

I still puzzled why root zones can’t get it done to re-singn their zones with a decent algorithm and that organisations like NIST are still on SHA1…

Cheers and many thanks,
Wolfgang

On 15. Dec 2023, at 23:11, Mark Andrews <marka at isc.org> wrote:

They haven’t removed sha1 they have removed certain uses of sha1.  If they ever remove sha1 we will just add an implementation for sha1.
--
Mark Andrews

On 16 Dec 2023, at 01:09, Scott Morizot <tmorizot at gmail.com> wrote:


On Fri, Dec 15, 2023 at 7:40 AM Petr Špaček <pspacek at isc.org<mailto:pspacek at isc.org>> wrote:
We do runtime detection at startup because it's configurable, build time
would not work properly.

Okay, that makes sense. However, if I understood the scenario correctly, it seems like that configuration should then generate a runtime error or at least report that DNSSEC validation has been disabled. The description involved removing support for SHA1 entirely from the underlying system configuration. If that's the case then I don't see how DNSSEC validation can be reliably performed at all. It's not like introducing a new DNSSEC algorithm or removing support for an older DNSSEC algorithm. SHA1 is used to generate the hash label in NSEC3. I know that's been discussed on dnsops, but it hasn't changed. And from algorithm 8 on, there haven't been separate algorithms with and without NSEC3. Rather it's an option that can be configured for signing on a zone by zone basis. So if SHA1 isn't available, I don't see how any of the DNSSEC algorithms could truly be considered supported on the system.

That's making me curious enough that I might see if I can set up a system where I could reproduce that scenario and see what happens. Unless it's already part of your test suite and you know the answer, of course.

Scott
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231220/29a2a0f5/attachment.htm>

More information about the bind-users mailing list