Unable to resolv 1 domain
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon Apr 10 13:10:30 UTC 2017
Hi Ondrej,
On 10/04/17 14:57, Ondřej Surý wrote:
> I see - the 31653 DS is only algo 1, but the other one is 1,2, but
>
> But RFC 4509 says:
>
> 3. Implementation Requirements
>
> Implementations MUST support the use of the SHA-256 algorithm in DS
> RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1
> digests if DS RRs with SHA-256 digests are present in the DS RRset.
>
> So perhaps Unbound is too strict here? There are no known usable
> attacks on SHA-1 for use in DNSSEC, so I don't think it's necessary to
> ignore it right _now_.
But unbound clearly implements the SHOULD and thus should be
interoperable? That is what the 'SHOULD' is there for, right?
So, I am doing this because I think it is the standard. And I think so
should you.
I didn't do this out of strictness, but out of trying to implement
exactly what the standard said.
Best regards, Wouter
>
> O.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170410/e4490a43/attachment.bin>
More information about the Unbound-users
mailing list