Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users: > > > Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users: > >> Unbound 1.6.2rc1 maintainers prerelease is available: >> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and >> DS records. NSEC3 is not disabled. > > I tried --disable-sha1 and found any org. zone no longer got validated > (was handled like unsigned)
there are currently 2727 DS records in the root zone. 65 x Algorithm 5 for DNSKEY RSA/SHA-1 474 x Algorithm 7 for DNSKEY RSASHA1-NSEC3-SHA1 2152 x Algorithm 8 for DNSKEY RSA/SHA-256 36 x Algorithm 10 for DNSKEY RSA/SHA512 --disable-sha1 make 539 zones / ~20% of the root zone unsigned sound strongly not like "enabled on production systems" :-) Andreas