On Apr 6, 2022, at 14:38, Petr Menšík via Unbound-users <[email protected]> wrote: > > Hello, > > I am maintainer of unbound in RHEL. We are preparing RHEL9 (and CentOS Stream > 9). Because preparations for various security certifications SHA-1 signature > validation is disabled now in upcoming RHEL9. >
This is broken and violates RFC 8624. It means RHEL9 cannot be used as a platform for DNS resolvers. The unbound package should not use crypto-policies if those cannot facilitate the requirements of RFC 8624. This would be particularly sad since one of the authors of this RFC (me) wrote it while working at Red Hat. If Red Hat proceeds with this, users have two choices. Change the system wide policy to LEGACY and degrading security for everything running on the box (ssh, tls) or stick with rhel8 past its secure and supported date. Paul
