Runtime detection of SHA-1 support in unbound
Petr Menšík
pemensik at redhat.com
Thu Apr 7 13:42:15 UTC 2022
On 4/7/22 11:52, Petr Špaček via Unbound-users wrote:
> On 06. 04. 22 23:29, Paul Wouters via Unbound-users wrote:
>> On Apr 6, 2022, at 14:38, Petr Menšík via Unbound-users
>> <unbound-users at lists.nlnetlabs.nl> wrote:
>>>
>>>
>>>
>>> Hello,
>>>
>>> I am maintainer of unbound in RHEL. We are preparing RHEL9 (and
>>> CentOS Stream 9). Because preparations for various security
>>> certifications SHA-1 signature validation is disabled now in
>>> upcoming RHEL9.
>>>
>>
>> This is broken and violates RFC 8624.
>
> It's local policy, which usually takes precedence over whatever
> algorithms are prescribed by default non-local policy. If RHEL wants
> it that way let them deal with consequences of their choices.
>
> After all, maybe they got the policy right!
> draft-fanf-dnsop-sha-ll-not-00.txt seems persuasive to me.
>
> In any case, I think it would be a good idea to treat that as any
> other unsupported algorithm and thus DNSSEC-insecure.
>
I did not expect to see you here. Similar problem is with named, which
has a workaround with included config. delv tool has no workaround
however, so similar thing should be implemented also in bind sources. I
think no open source implementation would cope with this policy without
changes. If it doesn't avoid using openssl or gnutls like dnsmasq does.
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the Unbound-users
mailing list