BIND 9.18.6 disables RSASHA1 at runtime?
Mark Andrews
marka at isc.org
Thu Sep 1 21:19:03 UTC 2022
Yes. You will need to restart the server.
That all said if you are signing zones using RSASHA1 or NSEC3RSASHA1 you should transition to a newer algorithm if you want to have your zone validated by as many as possible.
--
Mark Andrews
> On 1 Sep 2022, at 22:59, Anand Buddhdev <anandb at ripe.net> wrote:
>
> Hi BIND developers,
>
> The release notes for 9.18.6 say:
>
> "The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9)."
>
> Does this happen at runtime when BIND starts?
>
> If an administrator updates the security policy on an EL9 system and allows SHA1, will BIND 9.18.6 then be able to validate zones signed with RSASHA1?
>
> Regards,
> Anand
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list