On Thu, May 2, 2024 at 6:44 AM John Levine <jo...@taugh.com> wrote:

> It appears that Philip Homburg  <pch-dnso...@u-1.phicoh.com> said:
> >In your letter dated Thu, 2 May 2024 10:27:17 +0200 you wrote:
> >>I'm not following what breaks based on the wording I suggested, and I'm
> not su
> >>re why you keep bringing that up. :-)
> >
> >Then an RFC gets published that signers MUST NOT support signing using
> SHA1,
> >so ldns removes those algorithms. Then a software update brings the new
> >version of ldns my system. Now an unsigned zone gets deployed, ....
>
> On the other hand, if it issued annoying warning messages every time it
> used a SHA1 key, I'd eventually notice and probably rotate the keys.
>
> I'm with Peter, I do not see a MUST NOT as requiring vendors or operators
> to do stupid stuff.
>

A MUST NOT in RFC 8624 directs implementations to remove their
implementation of an algorithm. The current NOT RECOMMENDED is the
appropriate recommendation, according to the text of an RFC, for an
implementation to issue a warning that the algorithm is deprecated and
should not be used for signing. Here's the description of the intent in the
deprecation process outlined in RFC 8624. It seems to me this discussion
has strayed from that core process to various perspectives about whether or
not SHA-1 remains "secure enough".

  "It is expected that deprecation of an algorithm will be performed
   gradually in a series of updates to this document.  This provides
   time for various implementations to update their implemented
   algorithms while remaining interoperable.  Unless there are strong
   security reasons, an algorithm is expected to be downgraded from MUST
   to NOT RECOMMENDED or MAY, instead of to MUST NOT.  Similarly, an
   algorithm that has not been mentioned as mandatory-to-implement is
   expected to be introduced with a RECOMMENDED instead of a MUST.

   Since the effect of using an unknown DNSKEY algorithm is that the
   zone is treated as insecure, it is recommended that algorithms
   downgraded to NOT RECOMMENDED or lower not be used by authoritative
   nameservers and DNSSEC signers to create new DNSKEYs.  This will
   allow for deprecated algorithms to become less and less common over
   time.  Once an algorithm has reached a sufficiently low level of
   deployment, it can be marked as MUST NOT so that recursive resolvers
   can remove support for validating it.

   Recursive nameservers are encouraged to retain support for all
   algorithms not marked as MUST NOT."

I have seen absolutely no "strong security reasons" presented in this
discussion for altering that deprecation model when it comes to DNSSEC
algorithms 5 and 7. (I would consider 5 less widely deployed, but since the
only difference between the two is support for NSEC3 I don't see a reason
to treat them differently.) Algorithm 7 remains widely used and by zones
most people would consider significant. In the US, for instance, that
includes cdc.gov. Moreover, as others have pointed out, the following
assertion in the draft is factually wrong. I'm not going to support a
standards document that can't even accurately state facts.

"This document retires the use of SHA-1 within DNSSEC."

Well, no. It doesn't. NSEC3 will continue to require SHA-1 until such time
as that standard is also changed. The draft instructs implementations to no
longer support algorithms 5 and 7 for both signing and validation and by
changing both to MUST NOT at the same time it contravenes the deprecation
model outlined in RFC 8624 without providing any justification beyond some
security hand-waving.

RFC 8624 provides the correct guidance to implementations for the current
state of use for algorithms 5 and 7. There are no "strong security reasons"
for deviating from the deprecation model outlined in the RFC. "NOT
RECOMMENDED" for signing means the same as "SHOULD NOT". (That's also
included with the RFC reference in the text of RFC 8624.) That seems
appropriate for signing implementations to issue warnings that the
algorithms are deprecated for signing if they choose. The guidance for
support in validators is not supposed to move to MUST NOT until an
algorithm has reached a low enough level of deployment. I don't see how
anyone can reasonably argue that is the case today for algorithm 7.

In my opinion, this draft should not move forward.

Scott
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to