Unable to resolv 1 domain

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Apr 10 13:22:35 UTC 2017


Hi Ondrej,

On 10/04/17 15:18, Ondřej Surý wrote:
> Perhaps this could be added to things controlled by:
> 
> harden-algo-downgrade: yes/no?
> 
> I don't think there's any security risk from using SHA1 for DS record
> verification even if SHA-2 is available.

I never analysed the implications, but just implemented the RFC.  That
is why I am surprised by this.

And I think you are right and that stuff can be controlled by the same
switch.  More leniency and strictness choice.

Best regards, Wouter

> 
> Ultimately, it's your call and decision.
> 
> Cheers,
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170410/367a674f/attachment.bin>


More information about the Unbound-users mailing list