#9422 fedoraproject.org dnssec validation failure on Fedora 33
Opened a month ago by pspacek. Modified a month ago

Describe what you would like us to do:

Upgrade DNSSEC signatures on fedoraproject.org to avoid obsolete algorithms which involve SHA1 hash.

When do you need this to be done by? (YYYY/MM/DD)

Up to you. Clients running Fedora 33 might have trouble accessing fedoraproject.org domain until migration is done.

Background:

Domain fedoraproject.org fails DNSSEC validation on Fedora 33 because it uses SHA1 algorithm, which is now forbidden in Fedora 33 as part of https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 .

This affects DNS resolvers which follow this system-wide policy, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1892704 .

Workarounds for users are either changing the local policy, or disabling DNSSEC validation altogether. Both approaches lower end user security so I would recommend moving fedoraproject.org (and possibly other affected domains) to modern algorithms, preferably ECDSAP256SHA256.

Beware that migration to different algorithm is a sensitive step and might break domain completely if done sloppily. I'm happy to help with that process if you want, just drop me an e-mail.


Thanks I am going to roll in a different ticket on this. I will need help and advice to do this correctly.

Metadata Update from @smooge:
- Issue assigned to smooge

a month ago

Metadata Update from @smooge:
- Issue tagged with: dns, medium-gain, medium-trouble, ops

a month ago

I am adding a security flag so I can get a review from our security officer @puiterwijk what algorithms and versions are needed to make sure other parts of the infrastructure he depends on keep working.

Metadata Update from @smooge:
- Issue tagged with: security

a month ago

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

a month ago

I have added a new set of keys for +014+ to most of the Fedoraproject zones. The longest TTL for fedoraproject.org is 4Weeks (the expire) so I will remove the old keys in 4 weeks from various zones.

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog