Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validating DSA algorithms #153

Closed
vcunat opened this issue Jan 26, 2020 · 4 comments
Closed

Validating DSA algorithms #153

vcunat opened this issue Jan 26, 2020 · 4 comments
Assignees

Comments

@vcunat
Copy link
Contributor

vcunat commented Jan 26, 2020

Currently unbound seems to consider the two DSA* signing algorithms as secure (unless --disable-dsa). Is there some reason for that? The latest standard says that these must not be supported in validators.

@ghost
Copy link

ghost commented Jan 26, 2020

And whilst the RFC does not stipulate as such, but NOT RECOMMENDED for SHA1, recent revelations would suggest to disable SHA1 as well.
It would not have any repercussion since DNSSEC is not leveraged at all in any major end user application, be it web browsers or email clients or any other applications that less visibly to the end user establishes connectivity to the internet with DNS involved.


[1] https://www.icann.org/news/blog/it-s-time-to-move-away-from-using-sha-1-in-the-dns

@vcunat
Copy link
Contributor Author

vcunat commented Jan 26, 2020

That not recommended was just for signing (i.e. in different column). Still who knows, the RFC might've been a little bit stricter if written today :-) (It was published less than a year ago, but its origins are a couple years older.)

@ghost
Copy link

ghost commented Jan 26, 2020

Right, my reading glasses where are they now?

@wcawijngaards wcawijngaards self-assigned this Jan 27, 2020
@wcawijngaards
Copy link
Member

wcawijngaards commented Jan 27, 2020

So for both these things that are configure options --disable-dsa and --disable-sha1. Since the RFC stops signers from sha1, this is not the validator, so we should not ship that by default. It is there are a configure flag should you want that behaviour, right now. The dsa thing can be switched to default off, I guess, since that is what the RFC wants.

jedisct1 added a commit to jedisct1/unbound that referenced this issue Jan 27, 2020
* nlnet/master: (28 commits)
  - Add changelog entry for PR#148.
  - Add changelog entry for RP#154 - autoconf after PR#154
  - Fix NLnetLabs#153: Disable validation for DSA algorithms.  RFC 8624   compliance.
  Changelog note for PR#155. - Merge PR#155 from Rober Edmonds: contrib/libunbound.pc.in: Fixes   to Libs/Requires for crypto library dependencies.
  contrib/libunbound.pc.in: Embed the correct crypto dependencies
  contrib/libunbound.pc.in: Only specify -lunbound for Libs
  Allow use of libbsd functions with configure option --with-libbsd
  Changelog and contrib/README note for PR#150. - Merge PR#150 from Frzk: Systemd unit without chroot.  It add   contrib/unbound_nochroot.service.in, a systemd file for use with   chroot: "", see comments in the file, it uses systemd protections   instead.
  Patch configure.ac file to take the new contrib/unbound_nochroot.service unit file in consideration.
  Added a new unit file to run unbound with systemd and without chroot.
  Update unbound_munin_
  - Fix auth zone support for NSEC3 records without salt.
  - Fix for memory leak when edns subnet config options are read when   compiled without edns subnet support.
  - Fix crash after reload where a stats lookup could reference old key   cache and neg cache structures.
  - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,   because dnscrypt-proxy (2.0.36) does not support the test setup   any more, and also the config file format does not seem to have   the appropriate keys to recreate that setup.
  - Fix unreachable code in ssl set options code.
  - Fix the relationship between serve-expired and prefetch options,   patch from Saksham Manchanda from Secure64.
  - Add changelog entry for fix NLnetLabs#138 (stop binding pidfile inside chroot dir in   systemd service file).
  unbound.service.in: stop binding pidfile inside chroot dir
  - And update for more spare space.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants