Runtime detection of SHA-1 support in unbound
Paul Wouters
paul at nohats.ca
Wed Apr 6 21:29:47 UTC 2022
On Apr 6, 2022, at 14:38, Petr Menšík via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
> Hello,
>
> I am maintainer of unbound in RHEL. We are preparing RHEL9 (and CentOS Stream 9). Because preparations for various security certifications SHA-1 signature validation is disabled now in upcoming RHEL9.
>
This is broken and violates RFC 8624.
It means RHEL9 cannot be used as a platform for DNS resolvers.
The unbound package should not use crypto-policies if those cannot facilitate the requirements of RFC 8624.
This would be particularly sad since one of the authors of this RFC (me) wrote it while working at Red Hat.
If Red Hat proceeds with this, users have two choices. Change the system wide policy to LEGACY and degrading security for everything running on the box (ssh, tls) or stick with rhel8 past its secure and supported date.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220406/7cc9e0ed/attachment-0001.htm>
More information about the Unbound-users
mailing list