-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
RFC6725 has appeared yesterday and it changes the DNSSEC DNSKEY algorithm RSAMD5 from NOT RECOMMENDED (from RFC4034) to deprecated. The current svn contains a code change that makes unbound treat RSAMD5 as unsupported algorithm: zones signed with RSAMD5 are treated with AD=0, as insecure. Unbound will cache the signatures for downstream users and serve them unmodified (unbound will even still take some (small) effort to fetch and cache RSAMD5 signatures for RSAMD5 zones). This code change would then appear in the next software release of unbound. For double-signed zones, the other algorithm is then used for security. The algorithm table says zone-signing with RSAMD5 is N (for No). There are some counter arguments for this change. The RFC has appeared very recently (but NOT RECOMMENDED was there for years). We do not want to take sudden, unilateral actions that surprise DNSSEC users. But Secspider sees 0 production-enabled zones with RSAMD5 (as of Wed Jun 27 14:07:10 2012 UTC), http://secspider.cs.ucla.edu/. Are there other arguments we should take into consideration? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQQHwrAAoJEJ9vHC1+BF+NZowP/AkJr/e3S2n8HPggbh0uJkYa 4l8MCjPYPDx8XaZrUVDEuSazA9svlTZNj059y0N7dvyzXwbZE0sUZnSZ3Tw0AhS3 x984TEWzKr8D0GEPzUrAB3ELp7OVbTF+TRs3TSaAmBiAoaPYHz4y8/U+SwRFmFjh YjBV6WEr5kIsn+62Zpof+7ywv/ttx4PuaPnc1MLQjGmK2dTqv7WyWVziEcg2+dWS LLn1Vuzwe6ncP8RwFiObBxF8G2oOwj+X32KtVEhuecw7UZFqDaXOp1soiFHtoDtx MZkzu1hl4bdOX0QY/UIhNf9FxTaQdBZywzWrnQJ7tDIhF6PYCBWCAVpbX5+BjNrg eSz342z+HhQMNJrCDCIi/fSZwEmg3Y+8/U+YKTjXds+DDmW/Cl608BzEaG2cU5Dc Ho4n2WuPUlREBrSfx7+bVpCKY/x1exnXnnNwNB5WviA+JUZ+hRiXBQ23y65LfLMQ hder6Jcjb3Bd6GQVWU7cdXvX9jd1TAgOwrAhUUtJMYW0S8SpLGKERhrMkktFreMV wu8KNkcW/4sR0QaCSry2bpd89RxjXQV2+69cN65B78j8SVUoLosNfyls+wE4kUHN 6ln5LGFG/6bH5KqslRhosRMbqC1FBOFp9RqmivOVGiyQroscbwzlQjUqfW7X4cx2 cq+UWGAsWC1eBXmLGxNB =3Yow -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
