Re: F35 Change: Disable SHA1 In OpenDNSSec (Self-Contained Change proposal)

On Mon, 28 Jun 2021, Ben Cotton wrote: > https://fedoraproject.org/wiki/Change/DisableSHA1InOpenDNSSec > == Detailed Description == > > OpenDNSSec changed the default behavior to not include SHA1 DS by > default, and added the -sha1 knob as an immediately-deprecated > compatibility knob in version 2.1.0 (2017-2): "OPENDNSSEC-552: By > default ‘ods-enforcer key export –ds’ included the SHA1 version of the > DS. SHA1 use is discouraged in favour of SHA256. To get the SHA1 DS > use the –sha1 flag. This flag is immediately deprecated and will be > removed from future versions of OpenDNSSEC." (see ChangeLog: > https://www.opendnssec.org/archive/releases/ ). > > The proposal is to disable the -sha1 knob in Fedora. I will also open > an issue upstream to remove all the sha1-related code. This change makes me a bit nervous, and I'm the author of RFC 8624 that recommennds not using SHA-1 for DS/CDS records anymore. https://datatracker.ietf.org/doc/html/rfc8624#section-3.3 > Supporting statement > [https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-s... > [from ICANN] (2020-1-24): "Now is the time for administrators of zones > at all levels of the DNS to stop using SHA-1 and change to algorithms > using stronger hashes." While this is true, the order of where things need to change are: 1 Discourage, but not block, the use of SHA-1. Eg remove it from the default set. 2 Ensure the migration of SHA-1 based records to SHA-256 is taking place 3 remove support for SHA-1 This plan assumes we are in phase3. I would say we are in phase2. Remember, any domain that depends on SHA-1 is going to be more secure than being marked as insecure because SHA-1 is rejected. This is somewhat different from like SHA-1 support for authentication where the rejection of a weaker algorithm forces the use of a stronger algorithm. The DNSSEC fallback when an algorithm is not supported is to go insecure, not insist on a more secure SHA-2 that is not there. With DNSSEC, there is not client-server exchange like with TLS or IPsec. There is a producer on one end, and a consumer on the other end. The two do not negotiate crypto parameters. > == Benefit to Fedora == > * This change makes sure OpenDNSSec in Fedora follows ICANN's > guidelines and does not propose SHA1 DS. This is is needed given the > [https://sha-mbles.github.io/ latest attacks against SHA-1]. More > in-depth articles are available > [https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html there] and > [https://mailarchive.ietf.org/arch/msg/dnsop/hA4Ur9qxRJIUo13Pjpmrm_va7cs/ I know that a few people believe that shambles can in theory be abused with DNSSEC, but a lot of people also believe the constrains of DNS RRsets make this impossible. But even _if_ it is possible, it would only affect multiple domains that share the same private key that made the SHA-1 signature. And then we are talking about RRSIG records and not, as in this proposal, the DS/CDS RDATA content. > Patch the enforcer so that bsha1 is not honored anymore: I don't think fedora should move faster than upstream opendnssec. I believe the people at the IETF and the software developers of the DNS software are more aware of where we are in the migration path than individual Fedora developers.