#9422 fedoraproject.org dnssec validation failure on Fedora 33
Opened 4 months ago by pspacek. Modified 10 days ago

Describe what you would like us to do:

Upgrade DNSSEC signatures on fedoraproject.org to avoid obsolete algorithms which involve SHA1 hash.

When do you need this to be done by? (YYYY/MM/DD)

Up to you. Clients running Fedora 33 might have trouble accessing fedoraproject.org domain until migration is done.

Background:

Domain fedoraproject.org fails DNSSEC validation on Fedora 33 because it uses SHA1 algorithm, which is now forbidden in Fedora 33 as part of https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 .

This affects DNS resolvers which follow this system-wide policy, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1892704 .

Workarounds for users are either changing the local policy, or disabling DNSSEC validation altogether. Both approaches lower end user security so I would recommend moving fedoraproject.org (and possibly other affected domains) to modern algorithms, preferably ECDSAP256SHA256.

Beware that migration to different algorithm is a sensitive step and might break domain completely if done sloppily. I'm happy to help with that process if you want, just drop me an e-mail.


Thanks I am going to roll in a different ticket on this. I will need help and advice to do this correctly.

Metadata Update from @smooge:
- Issue assigned to smooge

4 months ago

Metadata Update from @smooge:
- Issue tagged with: dns, medium-gain, medium-trouble, ops

4 months ago

I am adding a security flag so I can get a review from our security officer @puiterwijk what algorithms and versions are needed to make sure other parts of the infrastructure he depends on keep working.

Metadata Update from @smooge:
- Issue tagged with: security

4 months ago

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

4 months ago

I have added a new set of keys for +014+ to most of the Fedoraproject zones. The longest TTL for fedoraproject.org is 4Weeks (the expire) so I will remove the old keys in 4 weeks from various zones.

Current status. @puiterwijk is looking at what is needed to make this work. My change would have fixed some things but not all.

So, it's been a few months... where are we at here?

fedoraproject.org DNSKEY still includes both. DS references still only RSASHA1 key. Not ready yet.

$ dig +multi -t DNSKEY fedoraproject.org

; <<>> DiG 9.16.11-RedHat-9.16.11-2.fc32 <<>> +multi -t DNSKEY fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34923
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fedoraproject.org. IN DNSKEY

;; ANSWER SECTION:
fedoraproject.org.  218 IN DNSKEY 257 3 5 (
                AwEAAdTXJc0joiKGfTvLXi+LXxGpKvPvOoJEst9PR8TC
                CvXGVp7h3BY3uXLkjckuT0aopCp2KF8zHgNgpMK03p1f
                d94pn9JZSuxfqvKsiYH2KvNOa/655oPj06jRhqAP5grX
                01Iz4BH411ZhGxIQ1BzZtOr1wAazojMJzLUgChRJs8GV
                t3LU0e6T8z1RQF33Dt9UMHIR5EAsFAqfZ/tsbfJDYktG
                oZi3nFlW7A745+ObM1LNXOWq3FcYPVzhH08Q7/7Wpxmz
                M6/ET8VeqWIsvh8EnZNDNMfJyPbY9B1BOIrFCpE03ALg
                FMejaBZwmeQaX+D4Duup5xGOmdtCO4GSpM1YH6c=
                ) ; KSK; alg = RSASHA1 ; key id = 16207
fedoraproject.org.  218 IN DNSKEY 256 3 14 (
                04ZsDOgyzs3kJsJ4jEY3MYufkCOWm1OI8N4M+dlBOBmw
                eln0TSaKfafHzNCkaPiVG4bdgdnrzwxmjpK5GQgsiB47
                np+I8850Ea3EJG5ORDl3f//lrr92HiYh5DxCNhkG
                ) ; ZSK; alg = ECDSAP384SHA384 ; key id = 60624
fedoraproject.org.  218 IN DNSKEY 257 3 14 (
                7ttmhus8JD56ybsvMVZVsXa3U2R+2+WmOPIP7BU6t2Li
                cosMZ2Ju3pfvijsa5LvBvVCB4xVtLSqEdLSvW4vJPLSA
                B2uyJwHPJMezh0SzGmVCImLU6qDxsxjHqtZ76/Sf
                ) ; KSK; alg = ECDSAP384SHA384 ; key id = 58125
fedoraproject.org.  218 IN DNSKEY 256 3 5 (
                AwEAAcCWNQWl5pCI3iOOP2r8nStL60Zjb/2JQLQytamV
                ap0L44z0YWftu7pu0hx3cnIM1ejQOsEwbg2/10IyC+38
                cYqJDXbSdFg1zGztOS5xNz7r9hzSRK5N2jkycdJ/BoBy
                J4Y+XGpDqfG4I97++8sIzSrw60TmGAKTvM9viL3ByeCN
                ) ; ZSK; alg = RSASHA1 ; key id = 7725

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Út úno 16 17:36:24 CET 2021
;; MSG SIZE  rcvd: 694

$ dig +multi -t DS fedoraproject.org

; <<>> DiG 9.16.11-RedHat-9.16.11-2.fc32 <<>> +multi -t DS fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27260
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fedoraproject.org. IN DS

;; ANSWER SECTION:
fedoraproject.org.  59179 IN DS 16207 5 2 (
                A7C9BF5AFE374C9650ED678F3D36931A7DE9256B86A7
                BC34D6DEED7D4E492E5E )
fedoraproject.org.  59179 IN DS 16207 5 1 (
                8DD099791A2A110851FDE5D14F6C62ADC3DD7C18 )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Út úno 16 17:39:28 CET 2021
;; MSG SIZE  rcvd: 130

Login to comment on this ticket.

Metadata
Boards 1
ops Status: In Progress