On Fri, Mar 07, 2025 at 02:38:23PM -0500, John Griffiths via Postfix-users
wrote:
> As Wietse said, the resolver (bind) was bouncing emails from hosts
> that failed DNSSEC.
Not bouncing mails, perhaps failing to resolve the domain. If you're on
a RedHat system, you need to tweak the crypto policy and run a recent
version of the resolver. I have:
# update-crypto-policies --show
DEFAULT:SHA1
> Some domains are using an old algorithm that is no longer accepted by
> the current DNSSEC default configuration.
This is RedHat-specific. While the SHA1 algorithms are deprecated,
they're still expected to work at present.
> Three I have found are: comcast.net (algorithm 5), medicare.gov
> (algorithm 7), and usps.gov (algorithm 7).
See below. Algorithm 7 use is at ~0.5% of signed zones, while algorithm
5 is at ~0.08%. I do hope that comcast.net will consider switching to
algorithm 13 (or 8) sooner rather than later.
> The current recommended algorithms are 14, 15, and 16 with 15 being
> preferred according to RFC 8624 sec. 3.1.
No, the MTI algorithms are 8 and 13. Algorithm 14 is just a needlessly
slow and bloated version of 13 for those who unwisely believe that
larger keys are always better. While 15 (Ed25519) is technically a fine
alternative to P-256, it does not yet have quite the broad support, so
is still somewhat bleeding edge with an ~1-2% share of signed domains.
https://stats.dnssec-tools.org/#/?top=parameters&dnssec_param_tab=0
Alg Flags Proto #Domains
13 257 3 11799492
8 257 3 10006886
15 257 3 392929
10 257 3 194926
14 257 3 154452
7 257 3 113254
5 257 3 17789
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
