Deprecating DNSSEC algorithms 5 (RSASHA1) and 7 (RSASHA1-NSEC3-SHA1)
Bjørn Mork
bjorn at mork.no
Sat Mar 7 11:32:11 CET 2020
Viktor Dukhovni <ietf-dane at dukhovni.org> writes:
> On Fri, Mar 06, 2020 at 05:33:42PM +0100, Peter van Dijk wrote:
>> C. Each algorithm for which a DNSKEY exists, must sign all the records
>> in the zone.
>
> And the invariant holds, because it is signed with ZSKs for both
> algorithms.
>
>> Because of caching, step 1 potentially breaks this invariant.
>>
>> https://tools.ietf.org/html/rfc6781#section-4.1.4 explains this at
>> length (with better wording than I used), and appears to get it right.
You didn't really address Peter's concern. Any cached RRSIG with
remaining TTL higher than a cached DNSKEY will be invalid after the
cached DNSKEY expires if you add a new ZSK algorithm without first adding
the signatures..
You need to add the signatures first, wait until old sigs are expired,
and then add the new ZSK.
Looking at an example: My local resolver is going to keep the
www.ietf.org RRSIG cached for 589 seconds after the ietf.org DNSKEY
expires. If ietf.org were to add a ZSK with a new algorithm now, then
www.ietf.org will be considered invalid for those 589 seconds until the
cache picks up the new signature:
bjorn at miraculix:~$ dig dnskey ietf.org +dnssec +multiline; dig www.ietf.org +dnssec +multiline
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> dnskey ietf.org +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25914
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 00d41f1eaa6c1e2b0d935c335e637697980f4266912fe3c1 (good)
;; QUESTION SECTION:
;ietf.org. IN DNSKEY
;; ANSWER SECTION:
ietf.org. 589 IN DNSKEY 257 3 5 (
AwEAAavjQ1H6pE8FV8LGP0wQBFVL0EM9BRfqxz9p/sZ+
8AByqyFHLdZcHoOGF7CgB5OKYMvGOgysuYQloPlwbq7W
s5WywbutbXyG24lMWy4jijlJUsaFrS5EvUu4ydmuRc/T
GnEXnN1XQkO+waIT4cLtrmcWjoY8Oqud6lDaJdj1cKr2
nX1NrmMRowIu3DIVtGbQJmzpukpDVZaYMMAm8M5vz4U2
vRCVETLgDoQ7rhsiD127J8gVExjO8B0113jCajbFRcMt
UtFTjH4z7jXP2ZzDcXsgpe4LYFuenFQAcRBRlE6oaykH
R7rlPqqmw58nIELJUFoMcb/BdRLgbyTeurFlnxs=
) ; KSK; alg = RSASHA1 ; key id = 45586
ietf.org. 589 IN DNSKEY 256 3 5 (
AwEAAdDECajHaTjfSoNTY58WcBah1BxPKVIHBz4IfLjf
qMvium4lgKtKZLe97DgJ5/NQrNEGGQmr6fKvUj67cfrZ
UojZ2cGRizVhgkOqZ9scaTVXNuXLM5Tw7VWOVIceeXAu
uH2mPIiEV6MhJYUsW6dvmNsJ4XwCgNgroAmXhoMEiWEj
BB+wjYZQ5GtZHBFKVXACSWTiCtddHcueOeSVPi5WH94V
lubhHfiytNPZLrObhUCHT6k0tNE6phLoHnXWU+6vpsYp
z6GhMw/R9BFxW5PdPFIWBgoWk2/XFVRSKG9Lr61b2z1R
126xeUwvw46RVy3hanV3vNO7LM5HniqaYclBbhk=
) ; ZSK; alg = RSASHA1 ; key id = 40452
ietf.org. 589 IN RRSIG DNSKEY 5 2 1800 (
20210127000407 20200127230611 40452 ietf.org.
wiauz1dcDs1GctjHvWCw5Xxt61nTZhG7fjx5/+mC/uaL
3GKYwjS7cyBYl/YcXuufSAWFQLBy7BXFIkIxbXyKkCCo
uKogFWhoEilYZhUu/GxEppCK1Y7hvokM0i9enBlu7UDQ
GvJ9m9buJaKGtcKkiOAOTJB2djeyEexlgOpsQFst1TtM
DX6C7pdCjeaqTbFQrzq0LIBjthLJEzMWO4jNTr7bNcpi
8+nFDWV1MogDDP9cm8H89vMf4bUfqSvkskq2ouLNGwJ+
6gyDqUWu3KR8FvOhOWpq040/6ZWXMAduq5JDbt80oNdD
1xjwkhCQDI28fVj0v96MaQTWwR4Brj6p4Q== )
ietf.org. 589 IN RRSIG DNSKEY 5 2 1800 (
20210127000433 20200127230611 45586 ietf.org.
NRattAGqWXC55uwxwK+iCZhIj81/ljephfA+Hx57jEES
N2tCI4ZCldvOOtCojtkKnFchSsNoEfkuYpJtoAENlKat
jxBFYmAJJESqoV/X+jh5Y0j45787hF9TMc51//a6qjSl
PA3QJLZ2kReVgBRsBDQ9MroWaAWYKnsZOGKIKyg6Rxha
ADS/ATg/3kq2XZJuKRXHKx2sdCvqhMpuejgdqr/+SU2K
LUdPWrtvLmWRAP73MRIsBy52/rqR4iKkXhRLa6hPkovn
hikLibD6wijh53T0Oyqsj0mlpUEQSI6uV5b/9hp0TXpl
QhYCiDSuH1cu5fe/pgLvRpxkIEzof58vow== )
;; Query time: 28 msec
;; SERVER: 148.122.16.253#53(148.122.16.253)
;; WHEN: Sat Mar 07 11:25:27 CET 2020
;; MSG SIZE rcvd: 1209
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> www.ietf.org +dnssec +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11102
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 4ff4c9a2b04e7362cc9958945e6376979d3ae21152d8ec4d (good)
;; QUESTION SECTION:
;www.ietf.org. IN A
;; ANSWER SECTION:
www.ietf.org. 1175 IN CNAME www.ietf.org.cdn.cloudflare.net.
www.ietf.org. 1175 IN RRSIG CNAME 5 3 1800 (
20210127000323 20200127230611 40452 ietf.org.
fX/FCVGya8pIk/2cMDWu3+iNKyWd0GLK4g6wtwp8v7rj
p+nynpRm1jOanP20p36Dod4qj0IdoMGu3PN2756QZW7L
zQ6nS+x7Re37Q52BP89ADXZ5J5tLlcaRl0MEyoj6/Cyv
6cW+GH8sK0PwYmE11mVzezI3ZrADWvTCmgNxEpxHxoF0
jlpJ0+JVt9gP2bbHWg0uF2yspTwspaoCSRcaO6KFKnkk
QXI2PFhgk0w/Od4NXe86V64U1WtMGcqNyGOe0zcq4HPm
iiW+lvZab6QuZJ8kq/A5HrDw66MzuRK5S2PJFjoF7lna
9OIru9JXT+FcHmozUpI9lwLJIwI5IRt11g== )
www.ietf.org.cdn.cloudflare.net. 300 IN A 104.20.0.85
www.ietf.org.cdn.cloudflare.net. 300 IN A 104.20.1.85
www.ietf.org.cdn.cloudflare.net. 300 IN RRSIG A 13 6 300 (
20200308112527 20200306092527 34505 cloudflare.net.
gEbu+OUEYzpr2m4Tsvukhpxyyy0ypEW1esxKg/q3qVQW
nfeGk7PTcH2oqcplMI+d/9cMQPJW7v0m+/dHXq97FA== )
;; Query time: 31 msec
;; SERVER: 148.122.16.253#53(148.122.16.253)
;; WHEN: Sat Mar 07 11:25:27 CET 2020
;; MSG SIZE rcvd: 552
Bjørn
More information about the dane-users
mailing list