On Fri, Mar 07, 2025 at 02:38:23PM -0500, John Griffiths via Postfix-users 
wrote:

> As Wietse said, the resolver (bind) was bouncing emails from hosts
> that failed DNSSEC.

Not bouncing mails, perhaps failing to resolve the domain.  If you're on
a RedHat system, you need to tweak the crypto policy and run a recent
version of the resolver.  I have:

    # update-crypto-policies --show
    DEFAULT:SHA1

> Some domains are using an old algorithm that is no longer accepted by
> the current DNSSEC default configuration.

This is RedHat-specific.  While the SHA1 algorithms are deprecated,
they're still expected to work at present.

> Three I have found are: comcast.net (algorithm 5), medicare.gov
> (algorithm 7), and usps.gov (algorithm 7).

See below.  Algorithm 7 use is at ~0.5% of signed zones, while algorithm
5 is at ~0.08%.  I do hope that comcast.net will consider switching to
algorithm 13 (or 8) sooner rather than later.

> The current recommended algorithms are 14, 15, and 16 with 15 being
> preferred according to RFC 8624 sec. 3.1.

No, the MTI algorithms are 8 and 13.  Algorithm 14 is just a needlessly
slow and bloated version of 13 for those who unwisely believe that
larger keys are always better.  While 15 (Ed25519) is technically a fine
alternative to P-256, it does not yet have quite the broad support, so
is still somewhat bleeding edge with an ~1-2% share of signed domains.

    https://stats.dnssec-tools.org/#/?top=parameters&dnssec_param_tab=0

    Alg     Flags   Proto   #Domains
    13      257     3       11799492
    8       257     3       10006886
    15      257     3       392929
    10      257     3       194926
    14      257     3       154452
    7       257     3       113254
    5       257     3       17789

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to