Bind 9.11 serving up false answers for a single domain. (OT)
Ondřej Surý
ondrej at isc.org
Thu Feb 11 08:35:01 UTC 2021
Thanks! That was the response I was looking for. Much appreciated!
--
Ondřej Surý (He/Him)
ondrej at isc.org
> On 11. 2. 2021, at 9:03, stuart at registry.godaddy wrote:
>
> Good to know.
>
> Will attach a task to the next our next KSK roll process. Should halve the number of SHA1 DS's in the root.
>
> Will also tweak some of our other DNSSEC process documentation to stop providing them.
>
> Stuart
>
> On 11/2/21, 6:49 pm, "bind-users on behalf of Ondřej Surý" <bind-users-bounces at lists.isc.org on behalf of ondrej at isc.org> wrote:
>
> Notice: This email is from an external sender.
>
>
>
>> On 11. 2. 2021, at 7:01, Stuart at registry.godaddy wrote:
>>
>> It's one of those old compatibility things.
>
> Also called *downgrade attack vector*.
>
> Stuart, there’s absolutely no reason to keep any SHA1 in the DNS at the time I am writing this message.
>
> Cheers,
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210211/8e5566e5/attachment.bin>
More information about the bind-users
mailing list