[dns-operations] Stale NTA for "peek.ru" at Cloudflare?
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Mar 13 23:44:58 UTC 2020
On Fri, Mar 13, 2020 at 06:01:52PM -0400, Viktor Dukhovni wrote:
> That said the "MUST NOT" validate algorithms from that table have the
> following frequencies in the wild based on my (unavoidably incomplete)
> survey of ~10.8 million signed domains:
>
> dane=> select count(distinct qname), alg from ds where alg in (1,3,6) group by 2 order by 1 desc;
> count | alg
> -------+-----
> 288 | 1
> 234 | 3
> 40 | 6
>
> So the scope of the problem is admittedly rather modest, affecting fewer
> than 600 of the ~10.8 million domains.
After upgrading my system to unbound 1.10.0, I see the same response
from the local unbound server as from Cloudflare:
$ hsdig -CD -t tlsa _25._tcp.beta.peek.ru
_25._tcp.beta.peek.ru. IN CNAME _tlsa.peek.ru. ; NoError AD=0
_tlsa.peek.ru. IN TLSA 3 0 1 ef3d63aa7b10d1f060d43d30b356f19a38fddb36542ab188da787524be265a24 ; NoError AD=0
_tlsa.peek.ru. IN TLSA 3 0 1 925758b9aed10aa43ad72b5cd170eee4744d56cda9e3d970df2769e3085b083d ; NoError AD=0
So perhaps this is to be expected given that DSA-NSEC3-SHA1 went from
"optional" in:
https://tools.ietf.org/html/rfc6944#section-2.3
to "MUST NOT" for both signing and validation in
https://tools.ietf.org/html/rfc8624#section-3.1
In future RFCs deprecating algorithms (e.g. soon I hope RSASHA1 5 and
RSASHA1-NSEC3-SHA1 7) we should perhaps aim to first specify "MUST NOT"
for signing, and only some time (years) later "MUST NOT" for validation.
Which I think ideally means updating "8624" *this year* with a "MUST NOT"
for signing for 5 and 7, with a view to "MUST NOT" also for validation
no earlier than 2022.
--
Viktor.
More information about the dns-operations
mailing list