harden-algo-downgrade & RFC

Daniel Ryšlink ryslink at dialtelecom.cz
Wed Dec 2 20:40:45 UTC 2020


Hello,

Please, does anyone RFC-knowledgeable knows what is the official stance 
on this setting? If Unbound has it on "yes", queries into zones that 
advertise keys signed with different algorithms always end with SERVFAIL 
(to prevent possible attack against the weakest algorithm), otherwise 
they are processed without errors.

Is the same algorithm for all keys in a zone RFC required (MUST), or 
just a best practice recommendation (SHOULD)?

Thank you kindly in advance for any advice on the matter.

-- 
Best Regards,
Daniel Ryšlink



More information about the Unbound-users mailing list