[unbound] drop support for depreciated cryptographic algorithms leveraged in DNSSEC
Version 1.9.6
Configure line: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-gost --enable-allsymbols --enable-subnet --with-ldns=/home/beast/beast/workspace/turris-os-packages-master-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --with-libexpat=/home/beast/beast/workspace/turris-os-packages-master-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --with-ssl=/home/beast/beast/workspace/turris-os-packages-master-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --without-pthreads --enable-tfo-server --enable-tfo-client
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 subnetcache respip validator iterator
TCP Fastopen feature available
-
DSA is since long depreciated, kresd already dropped support for it and upstream package too stipulates compilation arg/flag
--disable-dsa
[1] -
SHA1 probably debatable since statistics imply still being leveraged in DNSSEC by a large number of Delegation Signer and/or domain admin. However, as outlined by [2] SHA1 is in shambles.
On the 7th January, a new more flexible and efficient collision attack against SHA-1 was announced: SHA-1 is a shambles. SHA-1 is deprecated but still used in DNSSEC, and this collision attack means that some attacks against DNSSEC are now merely logistically challenging rather than being cryptographically infeasible.
As a consequence, anyone who is using a SHA-1 DNSKEY algorithm (algorithm numbers 7 or less) should upgrade. The recommended algorithms are 13 (ECDSAP256SHA256) or 8 (RSASHA256, with 2048 bit keys).
Subsequent, SHA1 in DNSSEC should be treated as insecure. Suppose the governing compilation arg/flag is --disable-sha1
[1] https://github.com/openwrt/packages/blob/master/net/unbound/Makefile#L149
[2] https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html