Warn users not to use insecure TSIG algorithms when using DNS UPDATE and ACME DNS01

* SHA1 and MD5 are allowed by our API but they are insecure.
* We could return a [deprecation warning](https://github.com/cert-manager/cert-manager/pull/3936) if those are used.

https://github.com/cert-manager/cert-manager/blob/833311d278af13e222e55f2507297f37d4e902b2/internal/apis/certmanager/validation/issuer.go#L386-L392

## Links
* https://cert-manager.io/docs/configuration/acme/dns01/rfc2136/
* https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEIssuerDNS01ProviderRFC2136
* https://github.com/cert-manager/cert-manager/pull/4958
* [RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE)](https://www.rfc-editor.org/rfc/rfc2136)

_Originally posted by @inteon in https://github.com/cert-manager/cert-manager/issues/6579#issuecomment-1873840629_
            

	// This list must be kept in sync with pkg/issuer/acme/dns/rfc2136/rfc2136.go
	var supportedTSIGAlgorithms = []string{
	"HMACMD5",
	"HMACSHA1",
	"HMACSHA256",
	"HMACSHA512",
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Warn users not to use insecure TSIG algorithms when using DNS UPDATE and ACME DNS01 #6580

Links

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Warn users not to use insecure TSIG algorithms when using DNS UPDATE and ACME DNS01 #6580

Description

Links

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions