On Tue, 4 Sep 2012, Ray Bellis wrote:
On 31 Aug 2012, at 09:56, W.C.A. Wijngaards <[email protected]> wrote:
Are there other arguments we should take into consideration?
Yes. As I understand it there is _zero_ evidence that MD5 is insecure when
used as a digest in DNSSEC.
IMHO, this option should be a configurable _policy_ decision, and for now it should
default to the conservative "accept" position.
Note that FIPS mode bans MD5 irrespective of its use. So in FIPS mode,
MD5 will not be available, and unbound will have to be able to deal
with that. Since no one is deploying MD5 in DNSSEC, it might be
easier to just disable it per default, or at least have a compile
time option to disable it for those compiling for FIPS mode.
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
