On Fri, Mar 07, 2025 at 02:38:23PM -0500, John Griffiths via Postfix-users wrote:
> As Wietse said, the resolver (bind) was bouncing emails from hosts > that failed DNSSEC. Not bouncing mails, perhaps failing to resolve the domain. If you're on a RedHat system, you need to tweak the crypto policy and run a recent version of the resolver. I have: # update-crypto-policies --show DEFAULT:SHA1 > Some domains are using an old algorithm that is no longer accepted by > the current DNSSEC default configuration. This is RedHat-specific. While the SHA1 algorithms are deprecated, they're still expected to work at present. > Three I have found are: comcast.net (algorithm 5), medicare.gov > (algorithm 7), and usps.gov (algorithm 7). See below. Algorithm 7 use is at ~0.5% of signed zones, while algorithm 5 is at ~0.08%. I do hope that comcast.net will consider switching to algorithm 13 (or 8) sooner rather than later. > The current recommended algorithms are 14, 15, and 16 with 15 being > preferred according to RFC 8624 sec. 3.1. No, the MTI algorithms are 8 and 13. Algorithm 14 is just a needlessly slow and bloated version of 13 for those who unwisely believe that larger keys are always better. While 15 (Ed25519) is technically a fine alternative to P-256, it does not yet have quite the broad support, so is still somewhat bleeding edge with an ~1-2% share of signed domains. https://stats.dnssec-tools.org/#/?top=parameters&dnssec_param_tab=0 Alg Flags Proto #Domains 13 257 3 11799492 8 257 3 10006886 15 257 3 392929 10 257 3 194926 14 257 3 154452 7 257 3 113254 5 257 3 17789 -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org