Unbound 1.6.2rc1 pre-release
A. Schulze
sca at andreasschulze.de
Sat Apr 22 11:43:41 UTC 2017
Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:
>
>
> Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
>
>> Unbound 1.6.2rc1 maintainers prerelease is available:
>> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
>> DS records. NSEC3 is not disabled.
>
> I tried --disable-sha1 and found any org. zone no longer got validated
> (was handled like unsigned)
there are currently 2727 DS records in the root zone.
65 x Algorithm 5 for DNSKEY RSA/SHA-1
474 x Algorithm 7 for DNSKEY RSASHA1-NSEC3-SHA1
2152 x Algorithm 8 for DNSKEY RSA/SHA-256
36 x Algorithm 10 for DNSKEY RSA/SHA512
--disable-sha1 make 539 zones / ~20% of the root zone unsigned
sound strongly not like "enabled on production systems" :-)
Andreas
More information about the Unbound-users
mailing list