On Tue, 2023-09-26 at 09:43 +0200, Bjørn Mork wrote: > Viktor Dukhovni <[email protected]> writes: > > > Many RedHat systems no longer support the > > SHA1 DNSSEC algorithms 5 and 7 and your domain is "insecure" for > > validating resolvers running on these systems. > > This was a Redhat specific bug affecting validating resolver > operations. It should be fixed by > https://access.redhat.com/errata/RHBA-2022:8279
"Fixed" is quite a strong word. Initially, EL9 simply broke SHA1 validation, leading to resolving errors. The "fixes" here turn SHA1 insecure in -some- implementations. Other implementations had to implement their own workarounds to work on EL9 at all. It was a terrible thing for Red Hat to drop on all these developers and operators, and like so often with Red Hat recently, the community had to step up to compensate. Kind regards, -- Peter van Dijk PowerDNS.com B.V. - https://www.powerdns.com/
