Hello, is there any document obsoleting RFC 4509 sections 3 and 6.1?
https://tools.ietf.org/html/rfc4509#section-3 > Implementations MUST support the use of the SHA-256 algorithm in DS > RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1 > digests if DS RRs with SHA-256 digests are present in the DS RRset. https://tools.ietf.org/html/rfc4509#section-6.1 > 6.1. Potential Digest Type Downgrade Attacks > > A downgrade attack from a stronger digest type to a weaker one is > possible if all of the following are true: > > o A zone includes multiple DS records for a given child's DNSKEY, > each of which uses a different digest type. > > o A validator accepts a weaker digest even if a stronger one is > present but invalid. > > For example, if the following conditions are all true: > > o Both SHA-1 and SHA-256 based digests are published in DS records > within a parent zone for a given child zone's DNSKEY. > > o The DS record with the SHA-1 digest matches the digest computed > using the child zone's DNSKEY. > > o The DS record with the SHA-256 digest fails to match the digest > computed using the child zone's DNSKEY. > > Then, if the validator accepts the above situation as secure, then > this can be used as a downgrade attack since the stronger SHA-256 > digest is ignored. Unbound defaults to "harden-algo-downgrade: off" since October 2015, and Knot Resolver does not enforce it either. As far as I understand this is done for practical reasons, because protection against attack described in RFC 4509 section 6.1 was causing too much breakage in practice. Do we need to update/obsolete requirement in RFC 4509 section 3? Alternatively, are we (= implementers) doing it wrong? -- Petr Špaček @ CZ.NIC _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
