Bug #42272 for bind9-public: stop dnssec-keygen generating hmac keys in 9.13

Thu, 28 Apr 2016 19:44:20 -0400 Mark Andrews <marka@isc.org> - Ticket created

Subject:

stop dnssec-keygen generating hmac keys in 9.11

Also check that all the tools accept the tsigkegen output.

Tue, 03 May 2016 13:59:24 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'new' to 'open'

Tue, 03 May 2016 13:59:45 -0400 Evan Hunt <Evan_Hunt@isc.org> - Priority P2 Normal added

Tue, 03 May 2016 13:59:45 -0400 Evan Hunt <Evan_Hunt@isc.org> - Severity S2 Normal added

Thu, 05 May 2016 07:19:11 -0400 Stephen Morris <stephen@isc.org> - Area feature added

Thu, 05 May 2016 07:19:12 -0400 Stephen Morris <stephen@isc.org> - Component BIND Utilities added

Thu, 23 Jun 2016 17:31:19 -0400 Vicky Risk <vicky@isc.org> - Version Found 9.11 added

Mon, 23 Oct 2017 01:08:00 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Dang it, we forgot to do this for 9.11 and then forgot again for 9.12. Is it too late to put in a deprecated-usage warning in 9.12? And be sure to finish this in 9.13.

Mon, 23 Oct 2017 01:41:00 -0400 Mark Andrews <marka@isc.org> - Correspondence added

Date:	Mon, 23 Oct 2017 16:37:05 +1100
From:	"Mark Andrews" <marka@isc.org>
To:	bind9-confidential@isc.org
Subject:	Re: [ISC-Bugs #42272] stop dnssec-keygen generating hmac keys in 9.11

In message <rt-4.4.1-85494-1508735280-1610.42272-5-0@isc.org>, "Evan Hunt via RT" writes: > Dang it, we forgot to do this for 9.11 and then forgot again for 9.12. > > Is it too late to put in a deprecated-usage warning in 9.12? And be sure > to finish this in 9.13. That should be fine. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org

Mon, 23 Oct 2017 02:38:51 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Please review rt42272.

Mon, 23 Oct 2017 02:38:51 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'review'

Mon, 23 Oct 2017 04:29:08 -0400 Mukund Sivaraman <muks@isc.org> - Correspondence added

Date:	Mon, 23 Oct 2017 13:58:55 +0530
Subject:	Re: [ISC-Bugs #42272] stop dnssec-keygen generating hmac keys in 9.11
To:	"Evan Hunt via RT" <bind9-confidential@isc.org>
From:	"Mukund Sivaraman" <muks@isc.org>

On Mon, Oct 23, 2017 at 05:08:01AM +0000, Evan Hunt via RT wrote: > Dang it, we forgot to do this for 9.11 and then forgot again for 9.12. > > Is it too late to put in a deprecated-usage warning in 9.12? And be sure > to finish this in 9.13. Also add warning posters next to another thing we let pass: the default of HMAC-MD5 in rndc-confgen, etc. Mukund

Mon, 23 Oct 2017 12:17:03 -0400 Vicky Risk <vicky@isc.org> - Correspondence added

Date:	Mon, 23 Oct 2017 09:18:10 -0700
To:	bind9-confidential@isc.org
Subject:	Re: [ISC-Bugs #42272] stop dnssec-keygen generating hmac keys in 9.11
From:	"Victoria Risk" <vicky@isc.org>

IMHO if we do a beta2 we could include this there. I didn’t get any response to my suggestion about a second beta though…

On Oct 23, 2017, at 1:29 AM, Mukund Sivaraman via RT <bind9-confidential@isc.org> wrote:

On Mon, Oct 23, 2017 at 05:08:01AM +0000, Evan Hunt via RT wrote:
Dang it, we forgot to do this for 9.11 and then forgot again for 9.12.

Is it too late to put in a deprecated-usage warning in 9.12? And be sure
to finish this in 9.13.

Also add warning posters next to another thing we let pass: the default
of HMAC-MD5 in rndc-confgen, etc.

Mukund

--
Ticket History: https://bugs.isc.org/Ticket/Display.html?id=42272

Victoria Risk

Product Manager

Internet Systems Consortium

vicky@isc.org

Mon, 23 Oct 2017 13:21:21 -0400 Evan Hunt <each@isc.org> - Correspondence added

Date:	Mon, 23 Oct 2017 17:21:17 +0000
CC:
From:	"Evan Hunt" <each@isc.org>
To:	"Mukund Sivaraman via RT" <bind9-confidential@isc.org>
Subject:	Re: [ISC-Bugs #42272] stop dnssec-keygen generating hmac keys in 9.11

On Mon, Oct 23, 2017 at 08:29:08AM +0000, Mukund Sivaraman via RT wrote: > Also add warning posters next to another thing we let pass: the default > of HMAC-MD5 in rndc-confgen, etc. Excellent idea, thank you.

Mon, 23 Oct 2017 17:08:48 -0400 Evan Hunt <Evan_Hunt@isc.org> - Queue changed from #6 to bind9-public

Mon, 23 Oct 2017 17:09:07 -0400 Evan Hunt <Evan_Hunt@isc.org> - Subject changed from 'stop dnssec-keygen generating hmac keys in 9.11' to 'stop dnssec-keygen generating hmac keys in 9.13'

Tue, 24 Oct 2017 05:34:28 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Tue Oct 24 01:56:40 2017, each@isc.org wrote: > > Are we in agreement that HMAC-MD5 is the best choice for default? > > I'm guessing you meant "is not"? > > I definitely want the default to change, but since we've already shipped > beta, it shouldn't change for 9.12. I've pushed code to the branch that > prints a warning message and promises to change the default in the future. => as I pushed alternative to HMAC-MD5 a long time ago you already know my opinion. BTW most arguments against MD5 are applicable so will be applied to SHA-1 (or with other words in "no reason at all" IMHO there is a missing "technical").

Tue, 24 Oct 2017 13:32:26 -0400 Evan Hunt <Evan_Hunt@isc.org> - Taken

Tue, 24 Oct 2017 13:34:42 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

> It's not like we will break scripts for massive amount of people using > 9.12beta1 and switching to 9.12beta2. No, but it could break scripts based on earlier versions of BIND, and we generally try not to do that after beta1. I'm not against making an exception in this case, but let's have that conversation on Wednesday.

Tue, 24 Oct 2017 17:41:11 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Tue Oct 24 18:17:03 2017, muks wrote: > I don't know why NSEC3 came up in this thread. => because the same mechanism which banned MD5 targets now SHA-1 (e.g. SHA-1 is already not recommended in RSA signatures) and NSEC3 does not work without SHA-1.

Tue, 24 Oct 2017 18:34:24 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

4783. [func] The hmac-md5 algorithm is no longer recommended for use with RNDC keys. For compatibility reasons, it it is still the default algorithm in rndc-confgen, but this will be changed to hmac-sha256 in a future release. [RT #42272] 4782. [func] The use of dnssec-keygen to generate HMAC keys is deprecated in favor of tsig-keygen. dnssec-keygen will print a warning when used for this purpose. All HMAC algorithms will be removed from dnssec-keygen in a future release. [RT #42272] 9.12.0 Leaving the ticket open; tomorrow we'll decide whether to change the default.

Tue, 24 Oct 2017 18:34:25 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'review' to 'open'

Tue, 24 Oct 2017 18:36:32 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Oops, I was a little too quick to post that - the change numbers are actually 4784 and 4785.

Wed, 25 Oct 2017 13:48:19 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

We decided at the support meeting to go ahead and change the default algorithm in rndc-confgen, so can someone please review rt42272b?

Wed, 25 Oct 2017 13:50:43 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'review'

Wed, 25 Oct 2017 13:50:43 -0400 Evan Hunt <Evan_Hunt@isc.org> - Untaken

Fri, 27 Oct 2017 09:07:10 -0400 Ondrej Sury <ondrej@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>

Fri, 27 Oct 2017 13:58:34 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Thanks. Committed, and the earlier CHANGES note revised: 4785. [func] The hmac-md5 algorithm is no longer recommended for use with RNDC keys. The default in rndc-confgen is now hmac-sha256. [RT #42272] 9.12.0

Fri, 27 Oct 2017 13:58:35 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'review' to 'resolved'

Fri, 27 Oct 2017 13:58:35 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0 added

Created:	Thu, 28 Apr 2016 19:44:20 -0400
Updated:	Fri, 27 Oct 2017 13:58:35 -0400
Closed:	Fri, 27 Oct 2017 13:58:35 -0400

Bug #42272 for bind9-public: stop dnssec-keygen generating hmac keys in 9.13

This bug tracker is no longer active.