Unbound 1.6.2rc1 pre-release

A. Schulze sca at andreasschulze.de
Sat Apr 22 11:43:41 UTC 2017



Am 22.04.2017 um 13:20 schrieb A. Schulze via Unbound-users:
> 
> 
> Am 13.04.2017 um 10:17 schrieb W.C.A. Wijngaards via Unbound-users:
>  
>> Unbound 1.6.2rc1 maintainers prerelease is available:
>> - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
>>   DS records.  NSEC3 is not disabled.
> 
> I tried --disable-sha1 and found any org. zone no longer got validated
> (was handled like unsigned)

there are currently 2727 DS records in the root zone.
  65 x Algorithm 5  for DNSKEY RSA/SHA-1
 474 x Algorithm 7  for DNSKEY RSASHA1-NSEC3-SHA1
2152 x Algorithm 8  for DNSKEY RSA/SHA-256
  36 x Algorithm 10 for DNSKEY RSA/SHA512

--disable-sha1 make 539 zones / ~20% of the root zone unsigned
sound strongly not like "enabled on production systems" :-)

Andreas




More information about the Unbound-users mailing list