Runtime detection of SHA-1 support in unbound
Petr Špaček
pspacek at isc.org
Thu Apr 7 09:52:15 UTC 2022
On 06. 04. 22 23:29, Paul Wouters via Unbound-users wrote:
> On Apr 6, 2022, at 14:38, Petr Menšík via Unbound-users
> <unbound-users at lists.nlnetlabs.nl> wrote:
>>
>>
>>
>> Hello,
>>
>> I am maintainer of unbound in RHEL. We are preparing RHEL9 (and CentOS
>> Stream 9). Because preparations for various security certifications
>> SHA-1 signature validation is disabled now in upcoming RHEL9.
>>
>
> This is broken and violates RFC 8624.
It's local policy, which usually takes precedence over whatever
algorithms are prescribed by default non-local policy. If RHEL wants it
that way let them deal with consequences of their choices.
After all, maybe they got the policy right!
draft-fanf-dnsop-sha-ll-not-00.txt seems persuasive to me.
In any case, I think it would be a good idea to treat that as any other
unsupported algorithm and thus DNSSEC-insecure.
--
Petr Špaček @ Internet Systems Consortium
More information about the Unbound-users
mailing list