On Wed, 1 May 2024, Mark Andrews wrote:
One got servfail because validators where not aware that support was ripped away underneath it. Validators started to get errors that where totally unexpected. Performing runtime testing of algorithm support addressed that by allowing the validator to skip the unsupported algorithm.
The runtime check for SHA1 helped put RSA-SHA1 / NSEC3-RSA-SHA1 into the "unsupported" category, but RSA-SHA256 with NSEC3 still uses SHA1
for hashing the QNAME, and while not cryptogrpahic use, still had problems in practise. I don't remember the full details, but I think it related to wildcard proofs of non-existence of some kind, leading to validation failures. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop