DNSSec mess with SHA1
Wolfgang Riedel
Wolfgang.Riedel at f1-consult.com
Thu Dec 14 07:58:08 UTC 2023
Hi Folks,
I just wonder what's your take is on the current DNSSec mess with SHA1?
There are still a lot of top level domains being signed with SHA1 and look like nobody really cares?
Current OS releases like RHEL9 and others simply removed SHA1 from the code so if you're running BIND with "dnssec-validation auto" all those domains fails to resolve and the only way is to "dnssec-validation no" which eliminated the whole idea of DNSSec!
The worst is that even nist.gov fails WFT!
https://dnsviz.net/d/nist.gov/dnssec/
Any advice or ideas?
Thank you,
Wolfgang
________________________________________________________________
Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559
Am Leitenbruennlein 22 | D-91056 Erlangen | Bayern | Germany
phone: +49-9131-610-310
fax: +49-9131-610-333
email: wolfgang.riedel at f1-consult.com
web: www.f1-consult.com
OpenPGP key: CAF005CEC96C30CF4DBA5AFA3DBAFBAF63364
Zoom: https://zoom.us/j/5776157658
WebEx: https://f1-consult.webex.com/meet/wolfgang.riedel
______________________________________________________________________________________________________
This email may contain confidential and privileged material for the sole use of the intended recipient.
Any review, use, distribution or disclosure by others is strictly prohibited.
If you are not the intended recipient (or authorized to receive for the recipient),
please contact the sender by reply email and delete all copies of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231214/8b8a4122/attachment.htm>
More information about the bind-users
mailing list