On Tue, Sep 26, 2023 at 09:43:25AM +0200, Bjørn Mork wrote: > Viktor Dukhovni <[email protected]> writes: > > > Many RedHat systems no longer support the > > SHA1 DNSSEC algorithms 5 and 7 and your domain is "insecure" for > > validating resolvers running on these systems. > > This was a Redhat specific bug affecting validating resolver > operations. It should be fixed by > https://access.redhat.com/errata/RHBA-2022:8279
The "fix" was to treat algorithms 5 and 7 as unsupported, and the corresponding zones as unsigned. The behaviour before the fix was validation failure with the domain treated as "bogus". > RSASHA1 validation is not optional. It's still a MUST: > https://datatracker.ietf.org/doc/html/rfc8624#section-3.1 That is somewhat dated (predates https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html), and is in any case ignored by RedHat. > (and anyone who believe that's wrong should work to update the standard, > not violate it. You'd think players like Redhat knew that) You'd think, but they did what they did. And regardless, the algorithm rollover is still overdue. -- Viktor.
