Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 572
    • Issues 572
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 110
    • Merge requests 110
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #757
Closed
Open
Issue created Dec 04, 2018 by Ondřej Surý@ondrejOwner

Investigate and fix what happens when managed-key algorithm is not supported

There's are several possible scenarios (as discussed) how algorithm can end up in not supported set:

  • The algorithm is not supported (f.e. DSA on lower side of the spectrum and ED448 on the other end)
  • The algorithm has been disabled via configuration

and:

  • The managed-keys has been configured with not supported algorithm
  • The RFC5011 roll rolls to not supported algorithm

First, we need to have (system) tests about what happens in different combinations.

Second, we will have to decide what is the correct behaviour, as in the past, some people might have used this as NTA - configure TA with unknown algorithm to disable validation for the (broken) part of the DNS tree.

Edited Dec 04, 2018 by Ondřej Surý
Assignee
Assign to
Time tracking