DNSSEC validation in CentOS Stream 9

Paul Wouters paul at nohats.ca
Thu Sep 8 13:06:53 UTC 2022

On Thu, 8 Sep 2022, Josef Vybíhal via Unbound-users wrote:

> Thanks! I now remember, I have seen Petr discussing something similar
> on the Bind Users mailing list.

You can run: sudo update-crypto-policies --set LEGACY

That will enable SHA1 again to be useful for validation.

It will unfortunately also enable SHA1 for other things like sshd.

I tried to communicate this to Red Hat but they weren't willing
to budge and allow sha1 for dnssec, thereby reducing people's
security from "attacking sha1" to "just spoof it" :/

Luckilly, only like 0.08% of dnssec signed zones is still using sha1
and we have a draft underway at IETF to push people further away
from sha1.



More information about the Unbound-users mailing list