On Mon, 29 Apr 2024, Paul Hoffman wrote:
If the purpose of deprecating validation that involves SHA-1 is the decision by RedHat to make that entire section of the DNS insecure, the documents should say that explicitly. Conflating the pre-image weaknesses of SHA-1 and actual useful attacks on DNSSEC, and then using that conflation as the reason for the WG adopting these documents, is not useful.
Redhat is not the source of this. It is the certification people that say you cannot use SHA1 in cryptographic functions related to authentication, encryption, or digital signatures. And that these requirements are getting centrally codified in an OS that cannot take DNS into account.
(And, if anyone believes that collision reduction attacks on a hash are likely to lead to preimage reduction attacks, please look at the literature about MD5. The collision resistance has been massively reduced, and there is still zero preimage reduction after almost 20 years.)
Tony Finch and Viktor Dukovhny believe an attack with SHA1 is possible. I have not yet been convinced by them. See: https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html I agree SHA1 in DNSSEC does not pose a risk right now, but also agree that we should push hard for people to stop creating SHA1 based data. Last time Viktor shared data, I think SHA1 was sufficiently small that we could move forward without breaking too much. Perhaps Viktor can share his updated numbers with us. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
