On Mon, 29 Apr 2024, Philip Homburg wrote:
As far as I know there is no second pre-image attack on SHA1, and there will not be one in the foreseeable future.
Correct.
So if we deprecate SHA1 for validators, and assuming validators will follow this advice, and some platforms already stopped validating SHA1, then there may be zones that are mostly secure today that become insecure or bogus when we are done with the draft.
The advise is split between producing SHA1 signatures and consuming SHA1 signatures, and those timings do not have to be identical. That said, a number of OSes have already forced the issue by failing SHA1 as cryptographic operation (RHEL, CentOS, Fedora, maybe more). So right now, if you run DNSSEC with SHA1 (which includes NSEC3 using SHA1), your validator might already return it as an insecure zone. I think a MUST NOT for signing with SHA1 is a no-brainer. The timing for MAY on validation should be relatively short (eg 0-2 years?) For NSEC3 requiring SHA1, that will depend a bit on whether DNS validators have rewritten their code to allow the use of SHA1 on those systems where it is disabled for "cryptographic reasons". I'm not up to date on it, but my suggestion on adding SHA2 for NSEC3 so far is not well received. Getting a list of the main resolvers (services and software) and whether they properly support NSEC3 w SHA1 would be helpful in making such decisions. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
