DNSSEC validation in CentOS Stream 9
paul at nohats.ca
Thu Sep 8 13:06:53 UTC 2022
On Thu, 8 Sep 2022, Josef Vybíhal via Unbound-users wrote:
> Thanks! I now remember, I have seen Petr discussing something similar
> on the Bind Users mailing list.
You can run: sudo update-crypto-policies --set LEGACY
That will enable SHA1 again to be useful for validation.
It will unfortunately also enable SHA1 for other things like sshd.
I tried to communicate this to Red Hat but they weren't willing
to budge and allow sha1 for dnssec, thereby reducing people's
security from "attacking sha1" to "just spoof it" :/
Luckilly, only like 0.08% of dnssec signed zones is still using sha1
and we have a draft underway at IETF to push people further away
More information about the Unbound-users