From: Mark Andrews <marka@isc.org>
Date: Tue, 15 Jul 2025 14:38:53 +0000 (+1000)
Subject: chg: usr: Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1
X-Git-Tag: v9.21.11~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c407f3c12a47e6124d11cf1b8c11b2394083b940;p=thirdparty%2Fbind9.git

chg: usr: Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1

RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated
by the IETF and should no longer be used for DNSSEC. DS digest type
1 (SHA1) has also been deprecated. Validators are now expected
to treat these algorithms and digest as unknown, resulting in
some zones being treated as insecure when they were previously treated
as secure. Warnings have been added to named and tools when these
algorithms and this digest are being used for signing.

Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated
to a different DNSKEY algorithm.

Zones with DS or CDS records with digest type 1 (SHA1) should be
updated to use a different digest type (e.g. SHA256) and the digest
type 1 records should be removed.

Related to #5358

Merge branch '5358-add-sha1-deprecation-warnings' into 'main'

See merge request isc-projects/bind9!10559
---

c407f3c12a47e6124d11cf1b8c11b2394083b940