[dns-operations] [Ext] SHA-1 DNSSEC verification broken in RHEL 9 and CentOS 9 Stream

Petr Menšík pemensik at redhat.com
Wed Apr 13 21:08:03 UTC 2022

I admit feedback from the DNS community were mostly negative or
indifferent. Because the cause of this breakage is already merged and
prepared for release, it would have to be reverted.

We have no feedback from our customers on this topic yet, because
already released RHEL 9 Beta did not contain the responsible change.
Final RHEL 9.0 haven't been released yet. I am trying to receive
feedback how critical this change can be. What types of deployments can
it affect or even break?

I think SMTP services using DANE might be hit by this change. I don't
have any numbers how many our customers need SHA-1 domains secure. I
would like to receive any opinions here. Ideally backed by some numbers.

On 4/13/22 20:35, Paul Hoffman wrote:
> To date, have any of your customers or anyone in the DNS community, supported your choice of how to implement this? If not, or if only a trivial number have, does that affect your decision on how to implement this?
This decision were not made by me and I had no vote for it before it was
done. I try to reduce negative impact of it. But probability of
reverting that change just because DNSSEC validators not prepared for it
is low. Unless it has dramatic negative impact which I haven't found so far.
> --Paul Hoffman

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the dns-operations mailing list