DNSSec mess with SHA1
Petr Špaček
pspacek at isc.org
Thu Dec 14 08:09:33 UTC 2023
On 14. 12. 23 8:58, Wolfgang Riedel via bind-users wrote:
> Hi Folks,
>
> I just wonder what's your take is on the current DNSSec mess with SHA1?
>
> There are still a lot of top level domains being signed with SHA1 and
> look like nobody really cares?
> Current OS releases like RHEL9 and others simply removed SHA1 from the
> code so if you're running BIND with "dnssec-validation auto" all those
> domains fails to resolve and the only way is to "dnssec-validation no"
> which eliminated the whole idea of DNSSec!
>
> The worst is that even nist.gov fails WFT!
> https://dnsviz.net/d/nist.gov/dnssec/
>
> Any advice or ideas?
Given the lack of details it's hard to say. Widespread DNSSEC validation
failures on RHEL 9 are not shared experience.
Please provide:
- **exact** version numbers
- how you got the packages
- which version of OpenSSL is in use, and how it's configured
- Is FIPS mode is in play or not?
... and then we can get to diagnosing your issue.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list