They haven’t removed sha1 they have removed certain uses of sha1. If they ever remove sha1 we will just add an implementation for sha1. -- Mark Andrews
> On 16 Dec 2023, at 01:09, Scott Morizot <tmori...@gmail.com> wrote: > > >> On Fri, Dec 15, 2023 at 7:40 AM Petr Špaček <pspa...@isc.org> wrote: >> We do runtime detection at startup because it's configurable, build time >> would not work properly. > > Okay, that makes sense. However, if I understood the scenario correctly, it > seems like that configuration should then generate a runtime error or at > least report that DNSSEC validation has been disabled. The description > involved removing support for SHA1 entirely from the underlying system > configuration. If that's the case then I don't see how DNSSEC validation can > be reliably performed at all. It's not like introducing a new DNSSEC > algorithm or removing support for an older DNSSEC algorithm. SHA1 is used to > generate the hash label in NSEC3. I know that's been discussed on dnsops, but > it hasn't changed. And from algorithm 8 on, there haven't been separate > algorithms with and without NSEC3. Rather it's an option that can be > configured for signing on a zone by zone basis. So if SHA1 isn't available, I > don't see how any of the DNSSEC algorithms could truly be considered > supported on the system. > > That's making me curious enough that I might see if I can set up a system > where I could reproduce that scenario and see what happens. Unless it's > already part of your test suite and you know the answer, of course. > > Scott > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
