Mark Andrews <ma...@isc.org> writes: > We don’t log rsamd5 is disabled now ec or ed curves when they are not > supported by the crypto provider. Why should rsasha1 based algs be > special?
Because RSASHA1 validation still is a MUST in RFC8624? MD5 is and ED is not. I don't know if disabled EC curves is a real world problem, but ECDSAP256SHA256 is also a MUST and should get the same treatment. IMHO you should not allow the server to start up with a non-compliant configuration without making sure the adminstrator is aware of the problem. A log warning is sort of a minimum. Personally I'd prefer the server to die by default. It is unsuitable as a validating resolver and forcing adminstrators to find that out the hard way is not very nice. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
