Maintained by: NLnet Labs

[Unbound-users] MD5 status deprecated by RFC6725

Paul Wouters
Tue Sep 4 16:35:16 CEST 2012


On Tue, 4 Sep 2012, Ray Bellis wrote:

> On 31 Aug 2012, at 09:56, W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote:
>
>> Are there other arguments we should take into consideration?
>
> Yes.  As I understand it there is _zero_ evidence that MD5 is insecure when used as a digest in DNSSEC.
>
> IMHO, this option should be a configurable _policy_ decision, and for now it should default to the conservative "accept" position.

Note that FIPS mode bans MD5 irrespective of its use. So in FIPS mode,
MD5 will not be available, and unbound will have to be able to deal
with that. Since no one is deploying MD5 in DNSSEC, it might be
easier to just disable it per default, or at least have a compile
time option to disable it for those compiling for FIPS mode.

Paul