Maintained by: NLnet Labs

Unbound 1.6.2rc1 pre-release

Paul Wouters
Sun Apr 23 19:03:15 CEST 2017


There is a very good reason for not killing SHA1 right now in 

https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02

Sent from my iPhone

> On Apr 23, 2017, at 12:46, Viktor Dukhovni via Unbound-users <unbound-users at unbound.net> wrote:
> 
>> On Sat, Apr 22, 2017 at 01:43:41PM +0200, A. Schulze wrote:
>> 
>>> Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:
>>>> Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
>>>> 
>>>> Unbound 1.6.2rc1 maintainers prerelease is available:
>>>> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
>>>>  DS records.  NSEC3 is not disabled.
>>> 
>>> I tried --disable-sha1 and found any org. zone no longer got validated
>>> (was handled like unsigned)
>> 
>> there are currently 2727 DS records in the root zone.
>>  65 x Algorithm 5  for DNSKEY RSA/SHA-1
> 
> Note that this includes the ".se" TLD which I believe has one of
> the highest number of signed child 2LDs.  Among zones for which
> I can get complete zone data, the signed 2LD child count is:
> 
>  685654 se        ALG 5    (RSA/SHA-1)
>  654244 com        ALG 8    (RSA/SHA-256)
>  104376 net        ALG 8
>   84536 nu        ALG 7    (RSA/SHA-1 NSEC3-SHA1)
>   75838 org        ALG 7
>   19909 ovh        ALG 8
>    7401 xyz
>         ...
> 
> (Incomplete) data from other sources yields lower bounds for
> additional TLDs:
> 
>    514361 nl        ALG 8
>    313133 fr        ALG 8
>    175890 cz        ALG 10    (RSA/SHA-512)
>    165568 no        ALG 8
>    116359 de        ALG 8
>     91986 eu        ALG 8
>     49890 br        ALG 5
>     19818 info        ALG 7
>     16756 hu        ALG 8
>     15379 biz        ALG 8
>     14167 pw        ALG 7
>     14009 be        ALG 8
>      5504 at        ALG 8
>       ...
> 
>> --disable-sha1 make 539 zones / ~20% of the root zone unsigned
>> sound strongly not like "enabled on production systems" :-)
> 
> Yes, this loses .se, .nu, .org, .br, .info and .pw which collectively
> account for at least 930k signed 2LD domains out of a total of
> around 3 million.  So that's closer to 30% of the deployed base.
> 
> -- 
>    Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170423/8821aba0/attachment.html>