Paul Wouters via Datatracker <[email protected]> writes: > Zone owners currently making use of SHA-1 based algorithms should > immediately switch to algorithms > > I would use "should immediately rollover to algorithms" to avoid the illusion > some inexperienced DNS admins might have that they can just "switch" the > algorithm without proper prep work of doing a real roll over.
I changed to "roll" instead as "rollover" is kinda an odd term (though heavily used by investment firms). > As a result, SHA-1 is no longer fully interoperable in the context of > DNSSEC. As adequate alternatives exist, the use of SHA-1 is no longer > advisable. > > That should be, "SHA-1 as part of a signature algorithm". Because the document > isn't obsoleting SHA-1 from DS hashing algorithms right? Fair point, done. > In the Operational Considerations, one could add a sentence about the > difference of not supporting SHA-1 versus having a system that does not > support > SHA-1. The first results in an insecure validation, which is okay. The second > can result in ServFail, which is not okay. Something along the lines of: > > When not supporting or disabling SHA-1, care should be given by > implementers that the DNS software itself is made aware not to consume > SHA-1. For example, disabling SHA-1 at the Operating System level could > result in SHA-1 cryptographic failures within the DNS system, which > would > result in those zones failing, instead of the zones being treated as > unsigned/insecure I'm not sure that fully works. I'd rather not try to find all the right lines where SHA-1 could be implemented and/or removed. It is certainly possible, for example, for the OS to have removed SHA-1 but the application itself has its own implementation that it brings in. In fact, in Net-SNMP we do just this: we have a portion of openssl with just the algorithms we need in the code base that can be enabled with a flag to specifically avoid linking to a bunch larger library with a bunch of stuff we don't need. How about: Implementations following this advice need to ensure the associated operating system and software libraries they depend upon have SHA-1 support. Though I'm not sure how much that is actually adding. But it does warn about the odd situation of today's environment I suppose. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
