Bind 9.11 serving up false answers for a single domain. (OT)

Stuart at Stuart at
Thu Feb 11 08:03:50 UTC 2021

Good to know.

Will attach a task to the next our next KSK roll process. Should halve the number of SHA1 DS's in the root.

Will also tweak some of our other DNSSEC process documentation to stop providing them.


On 11/2/21, 6:49 pm, "bind-users on behalf of Ondřej Surý" <bind-users-bounces at on behalf of ondrej at> wrote:

    Notice: This email is from an external sender.

    > On 11. 2. 2021, at 7:01, Stuart at wrote:
    > It's one of those old compatibility things.

    Also called *downgrade attack vector*.

    Stuart, there’s absolutely no reason to keep any SHA1 in the DNS at the time I am writing this message.

    Ondřej Surý (He/Him)
    ondrej at

More information about the bind-users mailing list