And that doesn’t fail in RH with the tighter crypto. -- Mark Andrews
> On 1 May 2024, at 00:46, Paul Wouters <p...@nohats.ca> wrote: > > On Wed, 1 May 2024, Mark Andrews wrote: > >> One got servfail because validators where not aware that support was ripped >> away underneath it. Validators started to get errors that where totally >> unexpected. Performing runtime testing of algorithm support addressed that >> by allowing the validator to skip the unsupported algorithm. > > The runtime check for SHA1 helped put RSA-SHA1 / NSEC3-RSA-SHA1 into the > "unsupported" category, but RSA-SHA256 with NSEC3 still uses SHA1 > for hashing the QNAME, and while not cryptogrpahic use, still had > problems in practise. I don't remember the full details, but I think > it related to wildcard proofs of non-existence of some kind, leading > to validation failures. > > Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop