Upgrade DNSSEC signatures on fedoraproject.org to avoid obsolete algorithms which involve SHA1 hash.
Up to you. Clients running Fedora 33 might have trouble accessing fedoraproject.org domain until migration is done.
Domain fedoraproject.org fails DNSSEC validation on Fedora 33 because it uses SHA1 algorithm, which is now forbidden in Fedora 33 as part of https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 .
This affects DNS resolvers which follow this system-wide policy, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1892704 .
Workarounds for users are either changing the local policy, or disabling DNSSEC validation altogether. Both approaches lower end user security so I would recommend moving fedoraproject.org (and possibly other affected domains) to modern algorithms, preferably ECDSAP256SHA256.
Beware that migration to different algorithm is a sensitive step and might break domain completely if done sloppily. I'm happy to help with that process if you want, just drop me an e-mail.
Thanks I am going to roll in a different ticket on this. I will need help and advice to do this correctly.
Metadata Update from @smooge: - Issue assigned to smooge
Metadata Update from @smooge: - Issue tagged with: dns, medium-gain, medium-trouble, ops
I am adding a security flag so I can get a review from our security officer @puiterwijk what algorithms and versions are needed to make sure other parts of the infrastructure he depends on keep working.
Metadata Update from @smooge: - Issue tagged with: security
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review)
I have added a new set of keys for +014+ to most of the Fedoraproject zones. The longest TTL for fedoraproject.org is 4Weeks (the expire) so I will remove the old keys in 4 weeks from various zones.
Current status. @puiterwijk is looking at what is needed to make this work. My change would have fixed some things but not all.
So, it's been a few months... where are we at here?
fedoraproject.org DNSKEY still includes both. DS references still only RSASHA1 key. Not ready yet.
$ dig +multi -t DNSKEY fedoraproject.org ; <<>> DiG 9.16.11-RedHat-9.16.11-2.fc32 <<>> +multi -t DNSKEY fedoraproject.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34923 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;fedoraproject.org. IN DNSKEY ;; ANSWER SECTION: fedoraproject.org. 218 IN DNSKEY 257 3 5 ( AwEAAdTXJc0joiKGfTvLXi+LXxGpKvPvOoJEst9PR8TC CvXGVp7h3BY3uXLkjckuT0aopCp2KF8zHgNgpMK03p1f d94pn9JZSuxfqvKsiYH2KvNOa/655oPj06jRhqAP5grX 01Iz4BH411ZhGxIQ1BzZtOr1wAazojMJzLUgChRJs8GV t3LU0e6T8z1RQF33Dt9UMHIR5EAsFAqfZ/tsbfJDYktG oZi3nFlW7A745+ObM1LNXOWq3FcYPVzhH08Q7/7Wpxmz M6/ET8VeqWIsvh8EnZNDNMfJyPbY9B1BOIrFCpE03ALg FMejaBZwmeQaX+D4Duup5xGOmdtCO4GSpM1YH6c= ) ; KSK; alg = RSASHA1 ; key id = 16207 fedoraproject.org. 218 IN DNSKEY 256 3 14 ( 04ZsDOgyzs3kJsJ4jEY3MYufkCOWm1OI8N4M+dlBOBmw eln0TSaKfafHzNCkaPiVG4bdgdnrzwxmjpK5GQgsiB47 np+I8850Ea3EJG5ORDl3f//lrr92HiYh5DxCNhkG ) ; ZSK; alg = ECDSAP384SHA384 ; key id = 60624 fedoraproject.org. 218 IN DNSKEY 257 3 14 ( 7ttmhus8JD56ybsvMVZVsXa3U2R+2+WmOPIP7BU6t2Li cosMZ2Ju3pfvijsa5LvBvVCB4xVtLSqEdLSvW4vJPLSA B2uyJwHPJMezh0SzGmVCImLU6qDxsxjHqtZ76/Sf ) ; KSK; alg = ECDSAP384SHA384 ; key id = 58125 fedoraproject.org. 218 IN DNSKEY 256 3 5 ( AwEAAcCWNQWl5pCI3iOOP2r8nStL60Zjb/2JQLQytamV ap0L44z0YWftu7pu0hx3cnIM1ejQOsEwbg2/10IyC+38 cYqJDXbSdFg1zGztOS5xNz7r9hzSRK5N2jkycdJ/BoBy J4Y+XGpDqfG4I97++8sIzSrw60TmGAKTvM9viL3ByeCN ) ; ZSK; alg = RSASHA1 ; key id = 7725 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Út úno 16 17:36:24 CET 2021 ;; MSG SIZE rcvd: 694 $ dig +multi -t DS fedoraproject.org ; <<>> DiG 9.16.11-RedHat-9.16.11-2.fc32 <<>> +multi -t DS fedoraproject.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27260 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;fedoraproject.org. IN DS ;; ANSWER SECTION: fedoraproject.org. 59179 IN DS 16207 5 2 ( A7C9BF5AFE374C9650ED678F3D36931A7DE9256B86A7 BC34D6DEED7D4E492E5E ) fedoraproject.org. 59179 IN DS 16207 5 1 ( 8DD099791A2A110851FDE5D14F6C62ADC3DD7C18 ) ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Út úno 16 17:39:28 CET 2021 ;; MSG SIZE rcvd: 130
Login to comment on this ticket.