Unbound 1.6.2rc1 pre-release

[Viktor Dukhovni]

On Sat, Apr 22, 2017 at 01:43:41PM +0200, A. Schulze wrote:

> Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:
> > Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
> >  
> >> Unbound 1.6.2rc1 maintainers prerelease is available:
> >> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
> >>   DS records.  NSEC3 is not disabled.
> > 
> > I tried --disable-sha1 and found any org. zone no longer got validated
> > (was handled like unsigned)
> 
> there are currently 2727 DS records in the root zone.
>   65 x Algorithm 5  for DNSKEY RSA/SHA-1

Note that this includes the ".se" TLD which I believe has one of
the highest number of signed child 2LDs.  Among zones for which
I can get complete zone data, the signed 2LD child count is:

  685654 se		ALG 5	(RSA/SHA-1)
  654244 com		ALG 8	(RSA/SHA-256)
  104376 net		ALG 8
   84536 nu		ALG 7	(RSA/SHA-1 NSEC3-SHA1)
   75838 org		ALG 7
   19909 ovh		ALG 8
    7401 xyz
         ...

(Incomplete) data from other sources yields lower bounds for
additional TLDs:

    514361 nl		ALG 8
    313133 fr		ALG 8
    175890 cz		ALG 10	(RSA/SHA-512)
    165568 no		ALG 8
    116359 de		ALG 8
     91986 eu		ALG 8
     49890 br		ALG 5
     19818 info		ALG 7
     16756 hu		ALG 8
     15379 biz		ALG 8
     14167 pw		ALG 7
     14009 be		ALG 8
      5504 at		ALG 8
       ...

> --disable-sha1 make 539 zones / ~20% of the root zone unsigned
> sound strongly not like "enabled on production systems" :-)

Yes, this loses .se, .nu, .org, .br, .info and .pw which collectively
account for at least 930k signed 2LD domains out of a total of
around 3 million.  So that's closer to 30% of the deployed base.

-- 
	Viktor.