From: Wouter Wijngaards Date: Mon, 24 Aug 2015 15:05:10 +0000 (+0000) Subject: - Change default of harden-algo-downgrade to off. This is lenient X-Git-Tag: release-1.5.5rc1~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e65fdc31aa664d58ba326682a59d7c0e0e5dd2eb;p=thirdparty%2Funbound.git - Change default of harden-algo-downgrade to off. This is lenient for algorithm rollover. git-svn-id: file:///svn/unbound/trunk@3478 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 119e40d10..fef399d86 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,8 @@ - Fix deadlock for local data add and zone add when unbound-control list_local_data printout is interrupted. - iana portlist update. + - Change default of harden-algo-downgrade to off. This is lenient + for algorithm rollover. 13 August 2015: Wouter - 5011 implementation does not insist on all algorithms, when diff --git a/doc/example.conf.in b/doc/example.conf.in index 90491119e..e34fc3191 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -294,7 +294,7 @@ server: # Harden against algorithm downgrade when multiple algorithms are # advertised in the DS record. If no, allows the weakest algorithm # to validate the zone. - # harden-algo-downgrade: yes + # harden-algo-downgrade: no # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index cfbedd7d0..eec118274 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -567,7 +567,7 @@ to increase the max depth that is checked to. .B harden\-algo\-downgrade: \fI Harden against algorithm downgrade when multiple algorithms are advertised in the DS record. If no, allows the weakest algorithm to -validate the zone. Default is yes. Zone signers must produce zones +validate the zone. Default is no. Zone signers must produce zones that allow this feature to work, but sometimes they do not, and turning this option off avoids that validation failure. .TP diff --git a/util/config_file.c b/util/config_file.c index 3ef545a7b..211fffba4 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -174,7 +174,7 @@ config_create(void) cfg->harden_dnssec_stripped = 1; cfg->harden_below_nxdomain = 0; cfg->harden_referral_path = 0; - cfg->harden_algo_downgrade = 1; + cfg->harden_algo_downgrade = 0; cfg->use_caps_bits_for_id = 0; cfg->caps_whitelist = NULL; cfg->private_address = NULL;