Hi Ondrej, On 10/04/17 14:57, Ondřej Surý wrote: > I see - the 31653 DS is only algo 1, but the other one is 1,2, but > > But RFC 4509 says: > > 3. Implementation Requirements > > Implementations MUST support the use of the SHA-256 algorithm in DS > RRs. Validator implementations SHOULD ignore DS RRs containing SHA-1 > digests if DS RRs with SHA-256 digests are present in the DS RRset. > > So perhaps Unbound is too strict here? There are no known usable > attacks on SHA-1 for use in DNSSEC, so I don't think it's necessary to > ignore it right _now_.
But unbound clearly implements the SHOULD and thus should be interoperable? That is what the 'SHOULD' is there for, right? So, I am doing this because I think it is the standard. And I think so should you. I didn't do this out of strictness, but out of trying to implement exactly what the standard said. Best regards, Wouter > > O. >
signature.asc
Description: OpenPGP digital signature
