BIND 9.18.6 disables RSASHA1 at runtime?
Mark Andrews
marka at isc.org
Fri Sep 2 11:53:28 UTC 2022
We don’t log rsamd5 is disabled now ec or ed curves when they are not supported by the crypto provider. Why should rsasha1 based algs be special?
--
Mark Andrews
> On 2 Sep 2022, at 20:37, Anand Buddhdev <anandb at ripe.net> wrote:
>
> On 01/09/2022 23:19, Mark Andrews wrote:
>
> Hi Mark,
>
>> Yes. You will need to restart the server.
>
> Okay, I'm trying out 9.18.6 on an Oracle Linux 9 server. When starting BIND, it doesn't log anything about disabling RSASHA1. But when I query it for ietf.org/SOA, I get an unvalidated response. BIND also logs:
>
> 02-Sep-2022 10:27:13.839 dnssec: validating ietf.org/SOA: no valid signature found
>
> I think it's fine for BIND to disable RSASHA1, but it might be better to log this when starting, so that it's clear to an operator.
>
> Regards,
> Anand
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list