No, SHA-1 is not going to be disabled the same way MD5 were disabled in RHEL 7. Normal message digests using SHA-1 will still work. I know NSEC3 has no other alternative and therefore we cannot afford breaking it altogether. It would break almost all resolution in the most common top level domains. Any attempt to do that would be clear blocker for a release and no, nothing such is planned or implemented.
What will start failing are attempts to verify digests made using SHA-1 and RSA keys used in the same openssl API call. I have included examples of openssl calls which would now return error. sha1sum and similar tools should still work unmodified. That means also NSEC3 would still work. I haven't seen complete API call list affected by this change. I cannot share it therefore. Power DNS developer said their implementation still works. It seems using lower-level API calls can avoid this change of policy. That is discouraged by our internal guidelines, but could be used as a workaround. I haven't tested those ways. On 4/14/22 07:02, Shreyas Zare wrote: > > Hi, > > Apart from DNSSEC validation, have you also tested DNS servers hosting > DNSSEC signed zones with NSEC3? This is since NSEC3 only has SHA1 > specified > <https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml> > and this may cause the DNS server unable to update the zone to create > new NSEC3 records. This will mean that even if the zone is signed with > ECDSA algorithms but use NSEC3 then they are going to fail. > Yes, I am aware there is no other hash algorithm standardized. I have tested NSEC3 stays working and validates in DEFAULT policy. If you can find a case where it stopped working on centos stream9 container, please share steps to reproduce with me. I don't think that can happen, but you can prove me wrong. > > Regards, > *Shreyas Zare* > Technitium <https://technitium.com/> > > Regards, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: [email protected] PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
