Hi Folks, I just wonder what's your take is on the current DNSSec mess with SHA1?
There are still a lot of top level domains being signed with SHA1 and look like nobody really cares? Current OS releases like RHEL9 and others simply removed SHA1 from the code so if you're running BIND with "dnssec-validation auto" all those domains fails to resolve and the only way is to "dnssec-validation no" which eliminated the whole idea of DNSSec! The worst is that even nist.gov fails WFT! https://dnsviz.net/d/nist.gov/dnssec/ Any advice or ideas? Thank you, Wolfgang ________________________________________________________________ Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559 Am Leitenbruennlein 22 | D-91056 Erlangen | Bayern | Germany phone: +49-9131-610-310 fax: +49-9131-610-333 email: wolfgang.rie...@f1-consult.com web: www.f1-consult.com OpenPGP key: CAF005CEC96C30CF4DBA5AFA3DBAFBAF63364 Zoom: https://zoom.us/j/5776157658 WebEx: https://f1-consult.webex.com/meet/wolfgang.riedel ______________________________________________________________________________________________________ This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
