Unable to resolv 1 domain
wouter at nlnetlabs.nl
Mon Apr 10 13:10:30 UTC 2017
On 10/04/17 14:57, Ondřej Surý wrote:
> I see - the 31653 DS is only algo 1, but the other one is 1,2, but
> But RFC 4509 says:
> 3. Implementation Requirements
> Implementations MUST support the use of the SHA-256 algorithm in DS
> RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1
> digests if DS RRs with SHA-256 digests are present in the DS RRset.
> So perhaps Unbound is too strict here? There are no known usable
> attacks on SHA-1 for use in DNSSEC, so I don't think it's necessary to
> ignore it right _now_.
But unbound clearly implements the SHOULD and thus should be
interoperable? That is what the 'SHOULD' is there for, right?
So, I am doing this because I think it is the standard. And I think so
I didn't do this out of strictness, but out of trying to implement
exactly what the standard said.
Best regards, Wouter
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users