On Thu, Aug 18, 2022 at 09:12:33AM +1000, Mark Andrews wrote:
> Well anyone using RedHat Enterprise Linux 9 / Oracle Linux 9 already
> has RSASHA1 / NSEC3RSASHA1 disabled.
>
> BIND will automatically disable these algorithms as of the September
> releases if they are not supported by the crypto provider. So it will
> no longer require named.conf changes.
I forgot about this, indeed with support for:
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
sha1-with-rsa-signature(5)}
effectively removed from at least one mainstream crypto library,
algorithms 5 and 7 are becoming "insecure", whether we say so or not, so
we may as well say so.
Perhaps the new draft is one way to get the message out to the operators
of the holdout zones.
--
Viktor.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
