#9422 fedoraproject.org dnssec validation failure on Fedora 33
Opened a month ago by pspacek. Modified a month ago

Describe what you would like us to do:

Upgrade DNSSEC signatures on fedoraproject.org to avoid obsolete algorithms which involve SHA1 hash.

When do you need this to be done by? (YYYY/MM/DD)

Up to you. Clients running Fedora 33 might have trouble accessing fedoraproject.org domain until migration is done.


Domain fedoraproject.org fails DNSSEC validation on Fedora 33 because it uses SHA1 algorithm, which is now forbidden in Fedora 33 as part of https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 .

This affects DNS resolvers which follow this system-wide policy, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1892704 .

Workarounds for users are either changing the local policy, or disabling DNSSEC validation altogether. Both approaches lower end user security so I would recommend moving fedoraproject.org (and possibly other affected domains) to modern algorithms, preferably ECDSAP256SHA256.

Beware that migration to different algorithm is a sensitive step and might break domain completely if done sloppily. I'm happy to help with that process if you want, just drop me an e-mail.

Thanks I am going to roll in a different ticket on this. I will need help and advice to do this correctly.

Metadata Update from @smooge:
- Issue assigned to smooge

a month ago

Metadata Update from @smooge:
- Issue tagged with: dns, medium-gain, medium-trouble, ops

a month ago

I am adding a security flag so I can get a review from our security officer @puiterwijk what algorithms and versions are needed to make sure other parts of the infrastructure he depends on keep working.

Metadata Update from @smooge:
- Issue tagged with: security

a month ago

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

a month ago

I have added a new set of keys for +014+ to most of the Fedoraproject zones. The longest TTL for fedoraproject.org is 4Weeks (the expire) so I will remove the old keys in 4 weeks from various zones.

Login to comment on this ticket.

Boards 1
ops Status: Backlog