On Tue, Mar 18, 2025 at 03:29:00AM -0700, Wes Hardaker wrote:
> Also a good point. How is this as a replacement:
>
> This document deprecates the use of RSASHA1 and RSASHA1-NSEC3-SHA1
> signatures since they are no longer considered to be secure.
The situation is slight more dire than that, because some validators are
on systems where RSA+SHA1 signatures fail validation in the underlying
cryptography library, but the nameserver is not aware of this and
considers these zones to have failed validation, rather than just be
merely implicitly "insecure".
This is not a widespread issue, but puzzled operators continue to show
up on mailing lists from time to time, because their resolvers are
failing to resolve some algorithm 5 and 7 domains.
--
Viktor.
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
