Why SHA-1 removal?
As part of the DNSSEC chain-of-trust, DS records are added to the parent zone of a domain. The content of a DS record is the hash value of the public part of the KSK key used in the subdomain. DNS Belgium uses both the SHA-1 and the SHA-256 hash function for the DS records in the zone files for the .be, .vlaanderen and .brussels domains.
A document entitled "SHA-1 is a shambles" presented at the Real World Crypto Symposium at the beginning of January 2020 describes a chosen-prefix collision attack on the SHA-1 hash function. This hash function can consequently no longer be considered safe. It is therefore recommended not to use the SHA-1 hash function anymore, not even in DNSSEC.
This document describes the SHA-1 removal project. It clarifies how and when DNS Belgium will remove the SHA-1 DS records from the zone files for the 3 domains, .be, .vlaanderen and .brussels.
In this project we will remove only the DS records with digest type 1 (SHA-1) from the zone. The DNSKEY algorithms that also use SHA-1, such as algorithm 5 (RSASHA1) and algorithm 7 (RSASHA1-NSEC3-SHA1) are still allowed. These are listed in RFC8624 as NOT RECOMMENDED, and will be phased out in another project.
Root zone
The DS records needed for the DNSSEC chain-of-trust for the domains for which DNS Belgium is responsible (.be , .vlaanderen and .brussels) have been added to the root zone. We already added 2 DS records for these domains to the root zone, one record with the SHA-1 hash value and one record with the SHA-256 hash value, before the SHA-1 removal project was started.
As the DNSSEC validating DNS resolver name servers can already handle SHA-256 hash values nowadays, we can remove the SHA-1 DS records from the root zone for these 3 domains without any impact for the outside world.
.be zone
Through the DNS Belgium registration platform, the registrar uploads the public part of the KSK key for the subdomains of the .be domain that have implemented DNSSEC. DNS Belgium calculates the hash values thereof for the DS records and adds them to the .be zone file. These are 2 DS records before the start of the 'SHA-1 removal' project: one record with the SHA-1 hash value of the KSK public key, and one record with the SHA-256 hash value. The adjustment that needs to be made in the framework of the SHA-1 removal project for the .be zone is entirely in the hands of the registry , DNS Belgium, which will no longer add the SHA-1 record to the .be zone file.
We will apply this change to the zone file in phases in order to limit any possible impact. First, we will no longer add the SHA-1 DS record to the zone file for all the subdomains starting with the letter A (in other words, we will add only the SHA-256 DS record to the zone file). After verification, we do the same for the subdomains starting with the letters B to G. Next, we no longer add the SHA-1 DS record to the zone file for the entire .be zone. We can implement this phasing as such because the zone file is generated over and over, using zone pub.
.vlaanderen-/.brussels zone
The DS records in the zone files for the gTLD domains .vlaanderen and .brussels are added in a somewhat different way. The registrar calculates the hash value for the DS record himself and passes it on to the registry, DNS Belgium, via the EPP protocol.
DNS Belgium then adds this record to the respective zone file of .vlaanderen or .brussels. It is therefore up to the registrars not to pass on SHA-1 DS records for the subdomains that have implemented DNSSEC, but a SHA-256 DS record. We also ask registrars to replace the SHA-1 DS records that have already been added to the .brussels or .vlaanderen zone file with SHA-256 DS records.
- If 2 DS records have already been created for a subdomain, the registrar can remove the SHA-1 DS record without any problems.
- If there is only 1 DS record for a subdomain and it already contains a SHA-256 hash value, nothing must be done.
- If there is only 1 DS record for a subdomain and it contains an SHA-1 hash value, the registrar should replace it with an SHA-256 DS record; this should be done as follows:
- Add the SHA-256 DS record
- Verify whether it is actually in the zone
- Wait for a period of at least 1 TTL (1 day)
- Delete the SHA-1 DS record
For more information, go to:
- DNSSEC, updated version of the DNS protocol
- Command 'update domain'
Planning
This is the DNS Belgium planning to remove all the SHA-1 DS records for the domains .be, .vlaanderen and .brussels:
- We will remove the SHA-1 DS record from the root zone file for the .vlaanderen and .brussels domains.
- Phase 1 of the SHA-1 removal from the .be zone file for all subdomains starting with the letter A
- Phase 2 of the SHA-1 removal from the .be zone file for all subdomains starting with the letter A to G
- Phase 3 of the SHA-1 removal from the .be zone file for all subdomains
- We remove the SHA-1 DS record from the root zone file for the .be domain.
- Start the information round for the removal of the SHA-1 records from the .vlaanderen and .brussels zone file; ask the registrars not to add the SHA-1 DS records anymore and to replace existing DS records with digest type 1 by DS records with digest type 2.
Links
- SHA-1 chosen prefix collisions and DNSSEC (University of Cambridge)
- SHA-1 and DNSSEC validation (University of Cambridge)
- SHA-1 is a Shambles
- SHA-1 is a Shambles. First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust
- SHA-1 is a Shambles∗ First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust (pdf)
- SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA
- Shattered. We have broken SHA-1 in practice
-
Why choose Zonepub?
‘Zone pub’ is the new file generation method to replace ‘Dynamic Update’. DNS Belgium put this new method in production.