On 3/23/22 15:56, Paul Hoffman wrote: > On Mar 23, 2022, at 7:30 AM, Petr Menšík <pemen...@redhat.com> wrote: >> Is this workgroup more appropriate to drive possible change? Has it any >> means to modify ietf.org infrastructure? > No and no. > > Having said that, please see below for commentary on your reasoning. > >> -------- Forwarded Message -------- >> Subject: DNSSEC algorithm used on ietf.org >> Date: Wed, 23 Mar 2022 12:28:39 +0100 >> From: Petr Menšík <pemen...@redhat.com> >> Organization: Red Hat >> To: tools-disc...@ietf.org >> >> >> Hello, >> >> I work in Red Hat on DNS related products. We were analysing impact on >> disabling algorithm RSASHA1. > The impact is clear: you will cause many validly-signed zones to be > considered unsigned. I am aware this would be the result. It were done in very similar manner with RSAMD5. It is questionable anyway how secure it is, when its operator does not follow up-to-date recommendation. > >> It is in a strange sitation, because IETF >> itself deprecated this algorithm [1], > Where in RFC 8624 do you believe it says that RSASHA1 is deprecated? > Searching for "depreca" in the document finds it used for other algorithms, > but not RSASHA1. > > Further, the chart clearly shows it is not deprecated: > +--------+--------------------+-----------------+-------------------+ > | Number | Mnemonics | DNSSEC Signing | DNSSEC Validation | > +--------+--------------------+-----------------+-------------------+ > . . . > | 5 | RSASHA1 | NOT RECOMMENDED | MUST | > > That is, "MUST" validate is clearly not deprecated. > > --Paul Hoffman
We are preparing RHEL 9 and we still have SHA-1 for DNS(SEC) as exception. But we think it would happen when it would be under support. Thank you for exact reference, it may be used in our internal discussion. While it might not be required yet, it should be ready when that happens. Is there expected timeline for that yet? Any required changes, which may change validation to SHOULD or MAY? Is it just about DNSSEC algorithms used on top level domains? Server configuration already makes it possible to disable any algorithm, including RSASHA1. It must implement it and it would. Question here is only whether it would be disabled in default configuration or not. We are not considering disabling its support at build time, it would be always possible to enable later. -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
