[dns-operations] [Ext] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream

[Petr Menšík]

I admit feedback from the DNS community were mostly negative or
indifferent. Because the cause of this breakage is already merged and
prepared for release, it would have to be reverted.

We have no feedback from our customers on this topic yet, because
already released RHEL 9 Beta did not contain the responsible change.
Final RHEL 9.0 haven't been released yet. I am trying to receive
feedback how critical this change can be. What types of deployments can
it affect or even break?

I think SMTP services using DANE might be hit by this change. I don't
have any numbers how many our customers need SHA-1 domains secure. I
would like to receive any opinions here. Ideally backed by some numbers.

On 4/13/22 20:35, Paul Hoffman wrote:
> To date, have any of your customers or anyone in the DNS community, supported your choice of how to implement this? If not, or if only a trivial number have, does that affect your decision on how to implement this?
This decision were not made by me and I had no vote for it before it was
done. I try to reduce negative impact of it. But probability of
reverting that change just because DNSSEC validators not prepared for it
is low. Unless it has dramatic negative impact which I haven't found so far.
>
> --Paul Hoffman

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB