Disable SHA1 In OpenDNSSec
OpenDNSSec' enforcer has a (deprecated) -sha1 CLI option that brings back the old behavior, e.g. include the SHA1 version of the DS. As SHA1 use is deprecated in favour of SHA256, disable the -sha1 CLI knob so that it only displays a warning.
- Name: François Cami
- Email: email@example.com
- Targeted release: Fedora Linux 35
- Last updated: 2021-07-06
- FESCo issue: #2633
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
OpenDNSSec changed the default behavior to not include SHA1 DS by default, and added the -sha1 knob as an immediately-deprecated compatibility knob in version 2.1.0 (2017-2): "OPENDNSSEC-552: By default ‘ods-enforcer key export –ds’ included the SHA1 version of the DS. SHA1 use is discouraged in favour of SHA256. To get the SHA1 DS use the –sha1 flag. This flag is immediately deprecated and will be removed from future versions of OpenDNSSEC." (see ChangeLog: https://www.opendnssec.org/archive/releases/ ).
The proposal is to disable the -sha1 knob in Fedora. I will also open an issue upstream to remove all the sha1-related code.
Supporting statement [from ICANN (2020-1-24): "Now is the time for administrators of zones at all levels of the DNS to stop using SHA-1 and change to algorithms using stronger hashes."
Benefit to Fedora
- This change makes sure OpenDNSSec in Fedora follows ICANN's guidelines and does not propose SHA1 DS. This is is needed given the latest attacks against SHA-1. More in-depth articles are available there and there.
- This change is aligned with previous features:
- Proposal owners:
Patch the enforcer so that bsha1 is not honored anymore:
./enforcer/src/keystate/keystate_export_cmd.c-271- break; ./enforcer/src/keystate/keystate_export_cmd.c-272- case 's': ./enforcer/src/keystate/keystate_export_cmd.c:273: bsha1 = 1; ./enforcer/src/keystate/keystate_export_cmd.c-274- break; ./enforcer/src/keystate/keystate_export_cmd.c-275- default:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A
Zones with SHA-1 signatures can be migrated to SHA-256 by re-signing the zone. This change might break (very old) clients that only recognize SHA-1 but these should already be broken (on the Internet at least) because the root zone is signed with SHA-256 only.
How To Test
OpenDNSSec in Fedora can currently be used to sign zones with SHA1. With this change, this will no longer be possible. The migration from SHA1 is underway anyway.
FreeIPA (freeipa-server-dns) depends on OpenDNSSec.
- Contingency mechanism: Keep the current -sha1 knob's behavior (remove the patch).
- Contingency deadline: Beta freeze
- Blocks release? No, unless the change breaks IPA.
N/A (not a System Wide Change)