Validating DSA algorithms

[vcunat]

Currently unbound seems to consider the two DSA* signing algorithms as secure (unless --disable-dsa). Is there some reason for that? The latest standard says that these must not be supported in validators.

And whilst the RFC does not stipulate as such, but NOT RECOMMENDED for SHA1, recent revelations would suggest to disable SHA1 as well.
It would not have any repercussion since DNSSEC is not leveraged at all in any major end user application, be it web browsers or email clients or any other applications that less visibly to the end user establishes connectivity to the internet with DNS involved.

---

^[1] https://www.icann.org/news/blog/it-s-time-to-move-away-from-using-sha-1-in-the-dns

[vcunat]

That not recommended was just for signing (i.e. in different column). Still who knows, the RFC might've been a little bit stricter if written today :-) (It was published less than a year ago, but its origins are a couple years older.)

Right, my reading glasses where are they now?

[wcawijngaards]

So for both these things that are configure options --disable-dsa and --disable-sha1. Since the RFC stops signers from sha1, this is not the validator, so we should not ship that by default. It is there are a configure flag should you want that behaviour, right now. The dsa thing can be switched to default off, I guess, since that is what the RFC wants.