Skip to main content

It’s Time to Move Away From Using SHA-1 in the DNS

Earlier this month, cryptographers Gaëtan Leurent and Thomas Peyrin published an attack on the security of the SHA-1 hash algorithm that is used throughout the Internet. SHA-1 has been superseded by better hash algorithms for almost 20 years, but it is still in widespread use, mostly by people who don't know that the SHA-1 algorithm has weaknesses.

Hash algorithms are used to create short strings of bits, known as hash values, that can represent longer messages. One of the properties of good hash algorithms is that it is exceptionally and hopefully impossibly difficult to create two different messages that have the same hash value. For over a decade, cryptographers have been publishing papers showing attacks that chip away at the "strength" of SHA-1, that is, the ability for the SHA-1 algorithm to generate unique hash values given arbitrary input. This month's paper is a great improvement over that earlier work. Like most security protocols on the Internet, Domain Name System Security Extensions (DNSSEC) uses hash algorithms to increase the speed of signing and validating signatures.

The new attack makes it easier for an attacker to fool Domain Name System (DNS) zone administrators into creating hash values, or in DNSSEC terms, trusted signatures over DNS records they don't intend to sign. In technical terms, the new work makes it much faster for a malicious actor to create chosen-prefix collisions. In non-technical terms, an attacker can more easily create two DNS records that have the same SHA-1 hash value. If one of the two records looks benign and they can convince a zone owner to sign it, the signature will also apply to the less-benign record that the zone owner never saw.

This improved attack has serious consequences for all parts of the Internet that use SHA-1. In DNSSEC, SHA-1 is part of some signature algorithms which have been used since the early days of securing the DNS. Even though most zones that sign with DNSSEC use algorithms that use stronger hash algorithms, there are still plenty that sign with algorithms that use SHA-1. In fact, more than 250 top-level domains (TLDs) are still using algorithms with SHA-1. Tony Finch, a long-time DNS contributor working at the University of Cambridge, wrote a great in-depth overview of the new attack's relationship to DNSSEC.

Now is the time for administrators of zones at all levels of the DNS to stop using SHA-1 and change to algorithms using stronger hashes. While there is no urgent need to change immediately, the highly publicized announcement of the improved attack will probably spur other researchers to further improve the attacks. Plus, it is expected there will be a time when changing away from SHA-1 will be an emergency. No one wants to have to change their signing processes under extreme time pressure, so changing now or within the next three months will help prevent an urgent need for change later.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."