On 9/2/22 14:23, Bjørn Mork wrote:
Mark Andrews <ma...@isc.org> writes:
We don’t log rsamd5 is disabled now ec or ed curves when they are not
supported by the crypto provider. Why should rsasha1 based algs be
special?
Because RSASHA1 validation still is a MUST in RFC8624? MD5 is and ED is
not.
I don't know if disabled EC curves is a real world problem, but
ECDSAP256SHA256 is also a MUST and should get the same treatment.
IMHO you should not allow the server to start up with a non-compliant
configuration without making sure the adminstrator is aware of the
problem. A log warning is sort of a minimum. Personally I'd prefer the
server to die by default. It is unsuitable as a validating resolver and
forcing adminstrators to find that out the hard way is not very nice.
Bjørn
I do not think all servers should fail to start on CentOS Stream 9,
RHEL9 and derivates. Yes, I have hit too it does not report at all which
algorithms are ready to use. But DEFAULT crypto policy on those
distributions simply do not allow validation of SHA-1 based signatures
to succeed. It is suitable for all other algorithms so I disagree that
without algorithms 5 and 7 it is not usable at all. Majority of secured
domains use stronger algorithms already.
I think it might report at least single line with a list of successfuly
initialized algorithms. So it would not report RSASHA1 is not available,
but a list of algorithms which are available in this build AND runtime
environment. I think such list would be short enough.
Administrators should be aware of those issues by reading release notes
on affected distributions. They should not be surprised so much.
Regards,
Petr
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
