From Fedora Project Wiki

(Created page with "<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> =...")
 
(Formatting fixes.)
Line 45: Line 45:
The proposal is to disable the -sha1 knob in Fedora. I will also propose the change upstream.
The proposal is to disable the -sha1 knob in Fedora. I will also propose the change upstream.


Supporting statement from ICANN: https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en
[https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en Supporting statement from ICANN].




Line 66: Line 66:
This change makes sure OpenDNSSec in Fedora follows ICANN's guidelines and does not propose SHA1 DS.
This change makes sure OpenDNSSec in Fedora follows ICANN's guidelines and does not propose SHA1 DS.
It is aligned with previous features:
It is aligned with previous features:
[[ https://fedoraproject.org/wiki/Features/StrongerHashes || StrongerHashes ]]
* [[Features/StrongerHashes]]
[[ https://fedoraproject.org/wiki/Changes/StrongCryptoSettings || StrongCryptoSettings ]]
* [[Changes/StrongCryptoSettings]]
[[ https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 || StrongCryptoSettings2 ]]
* [[Changes/StrongCryptoSettings2]]




Line 74: Line 74:
* Proposal owners:
* Proposal owners:
Patch the enforcer so that bsha1 is not honored anymore:
Patch the enforcer so that bsha1 is not honored anymore:
./enforcer/src/keystate/keystate_export_cmd.c-271-                break;
./enforcer/src/keystate/keystate_export_cmd.c-271-                break;
./enforcer/src/keystate/keystate_export_cmd.c-272-            case 's':
./enforcer/src/keystate/keystate_export_cmd.c-272-            case 's':
./enforcer/src/keystate/keystate_export_cmd.c:273:                bsha1 = 1;
./enforcer/src/keystate/keystate_export_cmd.c:273:                bsha1 = 1;
./enforcer/src/keystate/keystate_export_cmd.c-274-                break;  
./enforcer/src/keystate/keystate_export_cmd.c-274-                break;  
./enforcer/src/keystate/keystate_export_cmd.c-275-            default:
./enforcer/src/keystate/keystate_export_cmd.c-275-            default:


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 97: Line 97:
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
Zones with SHA-1 signatures can be migrated to SHA-256 by re-signing the zone.
Zones with SHA-1 signatures can be migrated to SHA-256 by re-signing the zone.  
This might break (very old) clients that only recognize SHA-1.  
This change might break (very old) clients that only recognize SHA-1.  





Revision as of 16:43, 25 June 2021


Change Proposal Name

DisableSHA1InOpenDNSSec

Summary

OpenDNSSec' enforcer has a (deprecated) -sha1 CLI option that brings back the old behavior, e.g. include the SHA1 version of the DS. As SHA1 use is deprecated in favour of SHA256, disable the -sha1 CLI knob so that it only displays a warning.

Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-06-25
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

OpenDNSSec changed the default behavior to not include SHA1 DS by default, and added the -sha1 knob as an immediately-deprecated compatibility knob in version 2.1.0 (2017-2): "OPENDNSSEC-552: By default ‘ods-enforcer key export –ds’ included the SHA1 version of the DS. SHA1 use is discouraged in favour of SHA256. To get the SHA1 DS use the –sha1 flag. This flag is immediately deprecated and will be removed from future versions of OpenDNSSEC." (see ChangeLog: https://www.opendnssec.org/archive/releases/ ).

The proposal is to disable the -sha1 knob in Fedora. I will also propose the change upstream.

Supporting statement from ICANN.


Feedback

Benefit to Fedora

This change makes sure OpenDNSSec in Fedora follows ICANN's guidelines and does not propose SHA1 DS. It is aligned with previous features:


Scope

  • Proposal owners:

Patch the enforcer so that bsha1 is not honored anymore:

./enforcer/src/keystate/keystate_export_cmd.c-271-                break;
./enforcer/src/keystate/keystate_export_cmd.c-272-            case 's':
./enforcer/src/keystate/keystate_export_cmd.c:273:                bsha1 = 1;
./enforcer/src/keystate/keystate_export_cmd.c-274-                break; 
./enforcer/src/keystate/keystate_export_cmd.c-275-            default:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Zones with SHA-1 signatures can be migrated to SHA-256 by re-signing the zone. This change might break (very old) clients that only recognize SHA-1.



How To Test

User Experience

Dependencies

FreeIPA (freeipa-server-dns) depends on OpenDNSSec.


Contingency Plan

  • Contingency mechanism: Keep the current -sha1 behavior.
  • Contingency deadline: Beta freeze
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes