On 14. 12. 23 8:58, Wolfgang Riedel via bind-users wrote:
Hi Folks,
I just wonder what's your take is on the current DNSSec mess with SHA1?
There are still a lot of top level domains being signed with SHA1 and
look like nobody really cares?
Current OS releases like RHEL9 and others simply removed SHA1 from the
code so if you're running BIND with "dnssec-validation auto" all those
domains fails to resolve and the only way is to "dnssec-validation no"
which eliminated the whole idea of DNSSec!
The worst is that even nist.gov fails WFT!
https://dnsviz.net/d/nist.gov/dnssec/
Any advice or ideas?
Given the lack of details it's hard to say. Widespread DNSSEC validation
failures on RHEL 9 are not shared experience.
Please provide:
- **exact** version numbers
- how you got the packages
- which version of OpenSSL is in use, and how it's configured
- Is FIPS mode is in play or not?
... and then we can get to diagnosing your issue.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
