BIND 9.18.6 disables RSASHA1 at runtime?
Bjørn Mork
bjorn at mork.no
Fri Sep 2 12:23:09 UTC 2022
Mark Andrews <marka at isc.org> writes:
> We don’t log rsamd5 is disabled now ec or ed curves when they are not
> supported by the crypto provider. Why should rsasha1 based algs be
> special?
Because RSASHA1 validation still is a MUST in RFC8624? MD5 is and ED is
not.
I don't know if disabled EC curves is a real world problem, but
ECDSAP256SHA256 is also a MUST and should get the same treatment.
IMHO you should not allow the server to start up with a non-compliant
configuration without making sure the adminstrator is aware of the
problem. A log warning is sort of a minimum. Personally I'd prefer the
server to die by default. It is unsuitable as a validating resolver and
forcing adminstrators to find that out the hard way is not very nice.
Bjørn
More information about the bind-users
mailing list