[dns-operations] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream
Ondřej Surý
ondrej at sury.org
Wed Apr 13 18:17:09 UTC 2022
I’m with Victor on this one. Disabling RSASHA1 signing in DNS software would be perfectly fine, crippling the validation is counterproductive and actively harmful.
Ondřej
--
Ondřej Surý <ondrej at sury.org> (He/Him)
> On 13. 4. 2022, at 20:10, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Wed, Apr 13, 2022 at 07:06:06PM +0200, Petr Menšík wrote:
>
>> I know it violates still active RFC 8624 [3], but because it is enforced
>> by lower-level API, it is possible just to follow or fail. I think so
>> far every crypto call failure results in bogus result and returns status
>> SERVFAIL on the reply. Would it make sense to create some common cases,
>> where the result would be fallback to insecure reply without AD bit, but
>> no failure?
>
> DNSSEC signature validation failure MUST NOT downgrade to "insecure".
> If a validating resolver expects to be able to validate algorithm 5 or 7
> RRsets then (barring specific NTAs) "bogus" (i.e. SERVFAIL) is the only
> correct response when signature validation fails unexpectedly.
>
> * A validating resolver can only ignore signatures for algorithms it
> does not support, or zones explicitly designated as insecure by local
> policy (negative trust anchors or NTAs).
>
> * For an expected to be supported algorithm (not disabled by local
> policy, at compile time in the resolver software, ...) the only
> reason to downgrade a validation error to "insecure" would be if the
> error status is an unambiguous "late" indication that the algorithm
> is unavailable by crypto library policy. A new signal of this sort
> requires new code in the resolver.
>
> All the above said, I maintain that the new crypto policy is much too
> blunt a tool, that is suitable only for a narrow set (be it some of the
> most popular) of applications.
>
> Barring known cross-protocol attacks, or other compelling issues, in
> opportunistic security applications (RFC 7435) some security is better
> than none. Failing to validate RSA SHA1 signatures without an
> understanding of the application context is counterproductive and IMNSHO
> amounts to vandalism.
>
> This change in the default crypto policy should be reconsidered, and
> any policy changes need to be applied at a higher (application) layer.
>
> --
> Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list