Once upon a time, Kevin P. Fleming <kpfleming(a)redhat.com> said:
In a similar (parallel) discussion related to future RHEL, it has
been
found this change also breaks resolution of many DNSSEC-secured domains
which are still using SHA1 signatures. It is impossible to know how long it
will be before those domains upgrade to better signatures, and at the
moment it's rather challenging for resolvers to be able to determine that
the resolution failure was caused by local policy instead of an actual
invalid signature.
That's a really unacceptable break, and will just lead to people saying
"don't use Red Hat stuff for DNS servers". If the public open-resolvers
(Google, Cloudflare, etc.) accept it, then it needs to continue to work on
RHEL/CentOS/Fedora.
--
Chris Adams <linux(a)cmadams.net>