Petr Menšík <pemen...@redhat.com> writes: > It is suitable for all other algorithms so I disagree that > without algorithms 5 and 7 it is not usable at all. Majority of > secured domains use stronger algorithms already.
Would it be the same if it worked for a majority of TLDs? Say "nz" as an arbitrary example. Would still work fine for a majority of users. It would probably take me some time before I noticed. After all, I rarely have a need to look up "nz" domains. And when it occasionally failed I'd probably never would have blamed Redhat. IMHO BIND without RSASHA1 is useless as a validating resolver as long as there are RSASHA1 signed zones out there. At least as long as this is still allowed. And it is. Hence the MUST validate. The classical example of a failing domain is https://dnsviz.net/d/paypal.com/dnssec/ Maybe acceptable for you? Definitely not for me or my customers. I want DNSSEC validation on that domain. I'd certainly prefer a stronger algorithm. But that's not an option, is it? So, yes, I prefer to be forced to acknowledge this issue. And refusing to start without some form of explicit adminstrator action is the only way that works in my experience. Not enough admins read logs ;-) Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
