Hello,

I would like to ask you for help with crypto consolidation project: Red Hat is
trying to consolidate crypto configuration on Linux systems to one place.

As you can see in https://bugzilla.redhat.com/show_bug.cgi?id=1179925, we have
tried to write a script which translates system-wide crypto policy into a
named.conf snippet (with the aim to forbid old/deprecated/insecure algorithms
and so on).

Unfortunately, it seems that BIND currently has very limited set of crypto
settings.

It would be really helpful if BIND could accept parameters like min-rsa-bits
and min-dh-bits (or at least specify the allowed DH groups). Also, there is no
way to specify algorithms and minimal accepted parameters/key sizes for HMAC
algorithms.

Maybe an option to specify algorithm white-lists instead of black-lists would
be nice way how to avoid surprises after upgrade.

What do you think about it? Would it be possible to implement something like that?

Have a nice day!

-- 
Petr Spacek  @  Red Hat