-
-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validating DSA algorithms #153
Comments
And whilst the RFC does not stipulate as such, but NOT RECOMMENDED for SHA1, recent revelations would suggest to disable SHA1 as well. [1] https://www.icann.org/news/blog/it-s-time-to-move-away-from-using-sha-1-in-the-dns |
That not recommended was just for signing (i.e. in different column). Still who knows, the RFC might've been a little bit stricter if written today :-) (It was published less than a year ago, but its origins are a couple years older.) |
Right, my reading glasses where are they now? |
So for both these things that are configure options |
* nlnet/master: (28 commits) - Add changelog entry for PR#148. - Add changelog entry for RP#154 - autoconf after PR#154 - Fix NLnetLabs#153: Disable validation for DSA algorithms. RFC 8624 compliance. Changelog note for PR#155. - Merge PR#155 from Rober Edmonds: contrib/libunbound.pc.in: Fixes to Libs/Requires for crypto library dependencies. contrib/libunbound.pc.in: Embed the correct crypto dependencies contrib/libunbound.pc.in: Only specify -lunbound for Libs Allow use of libbsd functions with configure option --with-libbsd Changelog and contrib/README note for PR#150. - Merge PR#150 from Frzk: Systemd unit without chroot. It add contrib/unbound_nochroot.service.in, a systemd file for use with chroot: "", see comments in the file, it uses systemd protections instead. Patch configure.ac file to take the new contrib/unbound_nochroot.service unit file in consideration. Added a new unit file to run unbound with systemd and without chroot. Update unbound_munin_ - Fix auth zone support for NSEC3 records without salt. - Fix for memory leak when edns subnet config options are read when compiled without edns subnet support. - Fix crash after reload where a stats lookup could reference old key cache and neg cache structures. - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, because dnscrypt-proxy (2.0.36) does not support the test setup any more, and also the config file format does not seem to have the appropriate keys to recreate that setup. - Fix unreachable code in ssl set options code. - Fix the relationship between serve-expired and prefetch options, patch from Saksham Manchanda from Secure64. - Add changelog entry for fix NLnetLabs#138 (stop binding pidfile inside chroot dir in systemd service file). unbound.service.in: stop binding pidfile inside chroot dir - And update for more spare space. ...
Currently unbound seems to consider the two
DSA*
signing algorithms as secure (unless--disable-dsa
). Is there some reason for that? The latest standard says that these must not be supported in validators.The text was updated successfully, but these errors were encountered: