Matthew Pounsett <m...@conundrum.com> wrote:
> On Wed, Mar 23, 2022 at 3:20 PM Petr Menšík <pemen...@redhat.com> wrote:
> >
> > Yes, it says so. It also says SHA-1 is not recommended for new
> > signatures and ietf.org signature was made at 20220318000627.
>
> It's more accurate to say that it's not recommended for new
> deployments. Operators are encouraged to migrate to more secure
> algorithms, but given an existing deployment there's no MUST
> associated with that migration, yet.
That was a serious error in RFC 8624, that should have been called out
when it was being prepared. Arguably, the same could be said for its
predecessor RFC 6944.
The lifetime of the signature is not relevant for the kind of collission
attack demonstrated by the "SHA-1 is a shambles" paper, because the
structure of an attack is:
* attacker predicts the the framing in the signature chosen by the
victim, things like the inception and expiration times
* attacker generates colliding plaintexts, superficially benign (to be
signed by the victim) and malicious; this takes some time
* attacker submits a DNS update containing the superficially benign
RRset, which is signed by the victim
* attacker re-attaches the signature to the malicious RRset and uses it
in a DNS record substitution attack.
This is the same structure as previous successful attacks on X.509
certificates with MD5 signatures. As well as continuing to use a weak
hash function, DNSSEC has not adopted any mitigations, such as
hard-to-predict framing, that are used in the PKIX world.
I have explained how DNSSEC is vulnerable to SHA-1 collisions in detail,
but sadly I was not gentle enough about the way I said it, and various
people on this list got upset and accused me of trying to break the DNS.
Sheesh.
Anyway, I-D version:
https://datatracker.ietf.org/doc/html/draft-fanf-dnsop-sha-ll-not-00
Blog version:
https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html
https://www.dns.cam.ac.uk/news/2020-02-14-sha-mbles.html
Also republished at:
https://blog.apnic.net/2020/01/17/sha-1-chosen-prefix-collisions-and-dnssec/
--
Tony Finch <d...@dotat.at> https://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: East or
northeast, becoming variable for a time, 2 to 4. In west, slight or
moderate becoming slight later, in east smooth or slight. Fair. Good,
occasionally moderate._______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
