Bind 9.11 serving up false answers for a single domain. (OT)
Stuart at registry.godaddy
Stuart at registry.godaddy
Thu Feb 11 08:03:50 UTC 2021
Good to know.
Will attach a task to the next our next KSK roll process. Should halve the number of SHA1 DS's in the root.
Will also tweak some of our other DNSSEC process documentation to stop providing them.
Stuart
On 11/2/21, 6:49 pm, "bind-users on behalf of Ondřej Surý" <bind-users-bounces at lists.isc.org on behalf of ondrej at isc.org> wrote:
Notice: This email is from an external sender.
> On 11. 2. 2021, at 7:01, Stuart at registry.godaddy wrote:
>
> It's one of those old compatibility things.
Also called *downgrade attack vector*.
Stuart, there’s absolutely no reason to keep any SHA1 in the DNS at the time I am writing this message.
Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ondrej at isc.org
More information about the bind-users
mailing list