On Tue, 2023-09-26 at 09:43 +0200, Bjørn Mork wrote:
Viktor Dukhovni ietf-dane@dukhovni.org writes:
Many RedHat systems no longer support the SHA1 DNSSEC algorithms 5 and 7 and your domain is "insecure" for validating resolvers running on these systems.
This was a Redhat specific bug affecting validating resolver operations. It should be fixed by https://access.redhat.com/errata/RHBA-2022:8279
"Fixed" is quite a strong word. Initially, EL9 simply broke SHA1 validation, leading to resolving errors. The "fixes" here turn SHA1 insecure in -some- implementations. Other implementations had to implement their own workarounds to work on EL9 at all.
It was a terrible thing for Red Hat to drop on all these developers and operators, and like so often with Red Hat recently, the community had to step up to compensate.
Kind regards,