From Fedora Project Wiki

Disable SHA1 In OpenDNSSec


OpenDNSSec' enforcer has a (deprecated) -sha1 CLI option that brings back the old behavior, e.g. include the SHA1 version of the DS. As SHA1 use is deprecated in favour of SHA256, disable the -sha1 CLI knob so that it only displays a warning.


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-07-06
  • FESCo issue: #2633
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

OpenDNSSec changed the default behavior to not include SHA1 DS by default, and added the -sha1 knob as an immediately-deprecated compatibility knob in version 2.1.0 (2017-2): "OPENDNSSEC-552: By default ‘ods-enforcer key export –ds’ included the SHA1 version of the DS. SHA1 use is discouraged in favour of SHA256. To get the SHA1 DS use the –sha1 flag. This flag is immediately deprecated and will be removed from future versions of OpenDNSSEC." (see ChangeLog: ).

The proposal is to disable the -sha1 knob in Fedora. I will also open an issue upstream to remove all the sha1-related code.

Supporting statement [from ICANN (2020-1-24): "Now is the time for administrators of zones at all levels of the DNS to stop using SHA-1 and change to algorithms using stronger hashes."


Benefit to Fedora


  • Proposal owners:

Patch the enforcer so that bsha1 is not honored anymore:

./enforcer/src/keystate/keystate_export_cmd.c-271-                break;
./enforcer/src/keystate/keystate_export_cmd.c-272-            case 's':
./enforcer/src/keystate/keystate_export_cmd.c:273:                bsha1 = 1;
./enforcer/src/keystate/keystate_export_cmd.c-274-                break; 
./enforcer/src/keystate/keystate_export_cmd.c-275-            default:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Zones with SHA-1 signatures can be migrated to SHA-256 by re-signing the zone. This change might break (very old) clients that only recognize SHA-1 but these should already be broken (on the Internet at least) because the root zone is signed with SHA-256 only.

How To Test

User Experience

OpenDNSSec in Fedora can currently be used to sign zones with SHA1. With this change, this will no longer be possible. The migration from SHA1 is underway anyway.


FreeIPA (freeipa-server-dns) depends on OpenDNSSec.

Contingency Plan

  • Contingency mechanism: Keep the current -sha1 knob's behavior (remove the patch).
  • Contingency deadline: Beta freeze
  • Blocks release? No, unless the change breaks IPA.


N/A (not a System Wide Change)

Release Notes