Answers for www.dnssec-failed.org with dnssec-validation auto;

[John Thurston]

Arrgh. You are correct. I was so far down in the weeds, I didn't notice 
a rock had fallen on my head.

I know I can re-enable SHA1 for everything on the host with:

update-crypto-policies --set DEFAULT:SHA1

But that's a fairly broad stroke, when only 'named' needs to accept such 
signatures. Is there a way to narrow it down?


--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

On 4/17/2024 9:21 AM, Ondřej Surý wrote:
> Let me guess - you are running on RHEL (without SHA-1 support) and 
> dnssec-failed.org is signed with RSA/SHA-1…
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240417/b16dbf12/attachment.htm>