<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><meta http-equiv="content-type" content="text/html; charset=utf-8">On Apr 6, 2022, at 14:38, Petr Menšík via Unbound-users <unbound-users@lists.nlnetlabs.nl> wrote:<br><div dir="ltr"><blockquote type="cite"><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello,</p>
<p>I am maintainer of unbound in RHEL. We are preparing RHEL9 (and
CentOS Stream 9). Because preparations for various security
certifications SHA-1 signature validation is disabled now in
upcoming RHEL9.</p>
</div></blockquote><br><div>This is broken and violates RFC 8624.</div><div><br></div><div>It means RHEL9 cannot be used as a platform for DNS resolvers.</div><div><br></div><div>The unbound package should not use crypto-policies if those cannot facilitate the requirements of RFC 8624.</div><div><br></div><div>This would be particularly sad since one of the authors of this RFC (me) wrote it while working at Red Hat.</div><div><br></div><div>If Red Hat proceeds with this, users have two choices. Change the system wide policy to LEGACY and degrading security for everything running on the box (ssh, tls) or stick with rhel8 past its secure and supported date.</div><div><br></div><div>Paul</div></div></body></html>