Maintained by: NLnet Labs

[Unbound-users] MD5 status deprecated by RFC6725

W.C.A. Wijngaards
Fri Aug 31 10:56:11 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

RFC6725 has appeared yesterday and it changes the DNSSEC DNSKEY
algorithm RSAMD5 from NOT RECOMMENDED (from RFC4034) to deprecated.

The current svn contains a code change that makes unbound treat RSAMD5
as unsupported algorithm: zones signed with RSAMD5 are treated with
AD=0, as insecure.  Unbound will cache the signatures for downstream
users and serve them unmodified (unbound will even still take some
(small) effort to fetch and cache RSAMD5 signatures for RSAMD5 zones).
 This code change would then appear in the next software release of
unbound.

For double-signed zones, the other algorithm is then used for security.

The algorithm table says zone-signing with RSAMD5 is N (for No).

There are some counter arguments for this change.  The RFC has
appeared very recently (but NOT RECOMMENDED was there for years).  We
do not want to take sudden, unilateral actions that surprise DNSSEC
users.  But Secspider sees 0 production-enabled zones with RSAMD5 (as
of Wed Jun 27 14:07:10 2012 UTC), http://secspider.cs.ucla.edu/.

Are there other arguments we should take into consideration?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQQHwrAAoJEJ9vHC1+BF+NZowP/AkJr/e3S2n8HPggbh0uJkYa
4l8MCjPYPDx8XaZrUVDEuSazA9svlTZNj059y0N7dvyzXwbZE0sUZnSZ3Tw0AhS3
x984TEWzKr8D0GEPzUrAB3ELp7OVbTF+TRs3TSaAmBiAoaPYHz4y8/U+SwRFmFjh
YjBV6WEr5kIsn+62Zpof+7ywv/ttx4PuaPnc1MLQjGmK2dTqv7WyWVziEcg2+dWS
LLn1Vuzwe6ncP8RwFiObBxF8G2oOwj+X32KtVEhuecw7UZFqDaXOp1soiFHtoDtx
MZkzu1hl4bdOX0QY/UIhNf9FxTaQdBZywzWrnQJ7tDIhF6PYCBWCAVpbX5+BjNrg
eSz342z+HhQMNJrCDCIi/fSZwEmg3Y+8/U+YKTjXds+DDmW/Cl608BzEaG2cU5Dc
Ho4n2WuPUlREBrSfx7+bVpCKY/x1exnXnnNwNB5WviA+JUZ+hRiXBQ23y65LfLMQ
hder6Jcjb3Bd6GQVWU7cdXvX9jd1TAgOwrAhUUtJMYW0S8SpLGKERhrMkktFreMV
wu8KNkcW/4sR0QaCSry2bpd89RxjXQV2+69cN65B78j8SVUoLosNfyls+wE4kUHN
6ln5LGFG/6bH5KqslRhosRMbqC1FBOFp9RqmivOVGiyQroscbwzlQjUqfW7X4cx2
cq+UWGAsWC1eBXmLGxNB
=3Yow
-----END PGP SIGNATURE-----