harden-algo-downgrade & RFC
Daniel Ryšlink
ryslink at dialtelecom.cz
Wed Dec 2 20:40:45 UTC 2020
Hello,
Please, does anyone RFC-knowledgeable knows what is the official stance
on this setting? If Unbound has it on "yes", queries into zones that
advertise keys signed with different algorithms always end with SERVFAIL
(to prevent possible attack against the weakest algorithm), otherwise
they are processed without errors.
Is the same algorithm for all keys in a zone RFC required (MUST), or
just a best practice recommendation (SHOULD)?
Thank you kindly in advance for any advice on the matter.
--
Best Regards,
Daniel Ryšlink
More information about the Unbound-users
mailing list