MD5 status deprecated by RFC6725

Wouter · August 31, 2012, 8:56am

Hi,

RFC6725 has appeared yesterday and it changes the DNSSEC DNSKEY
algorithm RSAMD5 from NOT RECOMMENDED (from RFC4034) to deprecated.

The current svn contains a code change that makes unbound treat RSAMD5
as unsupported algorithm: zones signed with RSAMD5 are treated with
AD=0, as insecure. Unbound will cache the signatures for downstream
users and serve them unmodified (unbound will even still take some
(small) effort to fetch and cache RSAMD5 signatures for RSAMD5 zones).
This code change would then appear in the next software release of
unbound.

For double-signed zones, the other algorithm is then used for security.

The algorithm table says zone-signing with RSAMD5 is N (for No).

There are some counter arguments for this change. The RFC has
appeared very recently (but NOT RECOMMENDED was there for years). We
do not want to take sudden, unilateral actions that surprise DNSSEC
users. But Secspider sees 0 production-enabled zones with RSAMD5 (as
of Wed Jun 27 14:07:10 2012 UTC), http://secspider.cs.ucla.edu/.

Are there other arguments we should take into consideration?

Best regards,
Wouter

Ray_Bellis · September 4, 2012, 12:40pm

Yes. As I understand it there is _zero_ evidence that MD5 is insecure when used as a digest in DNSSEC.

IMHO, this option should be a configurable _policy_ decision, and for now it should default to the conservative "accept" position.

kind regards,

Ray

PaulWouters · September 4, 2012, 2:35pm

Note that FIPS mode bans MD5 irrespective of its use. So in FIPS mode,
MD5 will not be available, and unbound will have to be able to deal
with that. Since no one is deploying MD5 in DNSSEC, it might be
easier to just disable it per default, or at least have a compile
time option to disable it for those compiling for FIPS mode.

Paul