[dns-operations] Missing algorithm 8 signatures in .museum zone

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Nov 16 18:53:19 UTC 2017



> On Nov 16, 2017, at 1:38 PM, <ondrej at sury.org> <ondrej at sury.org> wrote:
> 
> Nope, that just means that NLNetLabs should remove harden-algo-downgrade option from Unbound as it is causing operational problems.
> 
> And you should disable it.

Actually, it has been working remarkably well for me, for many years,
with .museum the first observed problem.  Why do you feel so strongly
that hardening against algorithm downgrade attacks is bad?

In any case, my system is a bit of a "canary", doing DNSSEC/DANE
deployment surveys, so having it fail is perhaps a feature. Is
there broad consensus that we should just accept algorithm
downgrades?  If so, I could indeed stop looking for sites that
run into trouble that way.

-- 
	Viktor.




More information about the dns-operations mailing list