> On 30 Apr 2024, at 06:00, Paul Wouters <p...@nohats.ca> wrote:
>
> On Mon, 29 Apr 2024, Philip Homburg wrote:
>
>> As far as I know there is no second pre-image attack on SHA1, and there
>> will not be one in the foreseeable future.
>
> Correct.
>
>> So if we deprecate SHA1 for validators, and assuming validators will follow
>> this advice, and some platforms already stopped validating SHA1, then there
>> may be zones that are mostly secure today that become insecure or bogus
>> when we are done with the draft.
>
> The advise is split between producing SHA1 signatures and consuming SHA1
> signatures, and those timings do not have to be identical.
>
> That said, a number of OSes have already forced the issue by failing
> SHA1 as cryptographic operation (RHEL, CentOS, Fedora, maybe more). So
> right now, if you run DNSSEC with SHA1 (which includes NSEC3 using
> SHA1), your validator might already return it as an insecure zone.
They DO NOT disable SHA1. They disable RSASHA1. The distinction is
important. NSEC3 works fine on them.
> I think a MUST NOT for signing with SHA1 is a no-brainer. The timing for
> MAY on validation should be relatively short (eg 0-2 years?)
>
> For NSEC3 requiring SHA1, that will depend a bit on whether DNS
> validators have rewritten their code to allow the use of SHA1 on
> those systems where it is disabled for "cryptographic reasons". I'm
> not up to date on it, but my suggestion on adding SHA2 for NSEC3 so
> far is not well received. Getting a list of the main resolvers (services
> and software) and whether they properly support NSEC3 w SHA1 would
> be helpful in making such decisions.
>
> Paul
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
