On Tue, Sep 26, 2023 at 09:43:25AM +0200, Bjørn Mork wrote:
Viktor Dukhovni ietf-dane@dukhovni.org writes:
Many RedHat systems no longer support the SHA1 DNSSEC algorithms 5 and 7 and your domain is "insecure" for validating resolvers running on these systems.
This was a Redhat specific bug affecting validating resolver operations. It should be fixed by https://access.redhat.com/errata/RHBA-2022:8279
The "fix" was to treat algorithms 5 and 7 as unsupported, and the corresponding zones as unsigned. The behaviour before the fix was validation failure with the domain treated as "bogus".
RSASHA1 validation is not optional. It's still a MUST: https://datatracker.ietf.org/doc/html/rfc8624#section-3.1
That is somewhat dated (predates https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html), and is in any case ignored by RedHat.
(and anyone who believe that's wrong should work to update the standard, not violate it. You'd think players like Redhat knew that)
You'd think, but they did what they did. And regardless, the algorithm rollover is still overdue.