On Sat, Aug 13, 2022 at 10:48:59PM +1000, Mark Andrews wrote:
> So you are ready to replace SHA1 in NSEC3 and do a second algorithm
> renumber which is what is required to actually get rid of SHA1 or do
> you mean retire RSA-SHA1.
No. Please let's NOT deprecate SHA-1 in NSEC3. The use of SHA-1 in
NSEC3 is not as part of a cryptographic signature, it is basically light
obfuscation to resist zone walking.
Generating SHA-1 collisions in the node names of the NSEC3 chain is
rather non-trivial. Only enough collision resistance is required to
avoid practical collisions on short inputs (typically single-label
prefixes of a common parent). Public eTLDs rarely allow registration of
multi-label child zones (.name is an exception), and even then the
labels are subject to syntax rules (LDH) that make collision attacks
difficult.
The known chosen-prefix extension attacks require at least 1024 bits
(128 bytes or two SHA-1 compression blocks) of data, and the colliding
inputs are binary data that would not be valid for registration under
a public suffix.
Effective attacks use more blocks, e.g. ~10 in:
https://www.usenix.org/system/files/sec20-leurent.pdf
which at 640 bytes is well beyond the maximum DNS name size of 255
bytes. SHA-1 collisions can manifest in the RDATA of DNS records, but
these don't affect the NSEC3 chain.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
