DNSSEC validation in CentOS Stream 9
Paul Wouters
paul at nohats.ca
Thu Sep 8 13:06:53 UTC 2022
On Thu, 8 Sep 2022, Josef Vybíhal via Unbound-users wrote:
> Thanks! I now remember, I have seen Petr discussing something similar
> on the Bind Users mailing list.
You can run: sudo update-crypto-policies --set LEGACY
That will enable SHA1 again to be useful for validation.
It will unfortunately also enable SHA1 for other things like sshd.
I tried to communicate this to Red Hat but they weren't willing
to budge and allow sha1 for dnssec, thereby reducing people's
security from "attacking sha1" to "just spoof it" :/
Luckilly, only like 0.08% of dnssec signed zones is still using sha1
and we have a draft underway at IETF to push people further away
from sha1.
https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-rfc8624-bis
Paul
More information about the Unbound-users
mailing list