On Sat, Aug 13, 2022 at 10:48:59PM +1000, Mark Andrews wrote: > So you are ready to replace SHA1 in NSEC3 and do a second algorithm > renumber which is what is required to actually get rid of SHA1 or do > you mean retire RSA-SHA1.
No. Please let's NOT deprecate SHA-1 in NSEC3. The use of SHA-1 in NSEC3 is not as part of a cryptographic signature, it is basically light obfuscation to resist zone walking. Generating SHA-1 collisions in the node names of the NSEC3 chain is rather non-trivial. Only enough collision resistance is required to avoid practical collisions on short inputs (typically single-label prefixes of a common parent). Public eTLDs rarely allow registration of multi-label child zones (.name is an exception), and even then the labels are subject to syntax rules (LDH) that make collision attacks difficult. The known chosen-prefix extension attacks require at least 1024 bits (128 bytes or two SHA-1 compression blocks) of data, and the colliding inputs are binary data that would not be valid for registration under a public suffix. Effective attacks use more blocks, e.g. ~10 in: https://www.usenix.org/system/files/sec20-leurent.pdf which at 640 bytes is well beyond the maximum DNS name size of 255 bytes. SHA-1 collisions can manifest in the RDATA of DNS records, but these don't affect the NSEC3 chain. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop