On 06. 04. 22 23:29, Paul Wouters via Unbound-users wrote:
On Apr 6, 2022, at 14:38, Petr Menšík via Unbound-users
<[email protected]> wrote:
Hello,
I am maintainer of unbound in RHEL. We are preparing RHEL9 (and CentOS
Stream 9). Because preparations for various security certifications
SHA-1 signature validation is disabled now in upcoming RHEL9.
This is broken and violates RFC 8624.
It's local policy, which usually takes precedence over whatever
algorithms are prescribed by default non-local policy. If RHEL wants it
that way let them deal with consequences of their choices.
After all, maybe they got the policy right!
draft-fanf-dnsop-sha-ll-not-00.txt seems persuasive to me.
In any case, I think it would be a good idea to treat that as any other
unsupported algorithm and thus DNSSEC-insecure.
--
Petr Špaček @ Internet Systems Consortium
