On Thu, 8 Sep 2022, Josef Vybíhal via Unbound-users wrote:
Thanks! I now remember, I have seen Petr discussing something similar on the Bind Users mailing list.
You can run: sudo update-crypto-policies --set LEGACY That will enable SHA1 again to be useful for validation. It will unfortunately also enable SHA1 for other things like sshd. I tried to communicate this to Red Hat but they weren't willing to budge and allow sha1 for dnssec, thereby reducing people's security from "attacking sha1" to "just spoof it" :/ Luckilly, only like 0.08% of dnssec signed zones is still using sha1 and we have a draft underway at IETF to push people further away from sha1. https://datatracker.ietf.org/doc/html/draft-hardaker-dnsop-rfc8624-bis Paul
