This proposal updates DNSSECImpl's algorithm 7 (RSASHA1-NSEC3-SHA1) to point to the same patched RSASHA1Algorithm contract that already serves algorithm 5. This was inadvertently omitted from the previous proposal which patched algorithms 5, 8, and 13.
The ENS deploy script (10_deploy_oracle.ts) maps both algorithm 5 and algorithm 7 to the same RSASHA1Algorithm contract, as they share identical RSA+SHA1 verification logic. When the previous proposal was executed, setAlgorithm was called for algorithms 5, 8, and 13, but algorithm 7 was missed.
Algorithm 7 currently still points to the pre-patch contract at 0x6ca8624Bc207F043D140125486De0f7E624e37A1, which lacks PKCS#1 v1.5 padding validation.
Current impact is negligible — no TLD in the ENS ecosystem currently uses algorithm 7. The TLDs affected by the original vulnerability (.cc, .name) used algorithm 8, which was patched in the previous proposal. However, this should be corrected to match the intended configuration and to close the gap left by the previous deployment.
A single setAlgorithm call on DNSSECImpl (0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5):
| Algorithm ID | Contract | Address |
|---|---|---|
| 7 (RSASHA1-NSEC3-SHA1) | RSASHA1Algorithm (patched) | 0x58E0383E21f25DaB957F6664240445A514E9f5e8 |
No new contract deployment is needed — this reuses the same patched contract already serving algorithm 5.
| # | Contract | Function | Parameters |
|---|---|---|---|
| 1 | DNSSECImpl | setAlgorithm(uint8,address) | 7, 0x58E0383E21f25DaB957F6664240445A514E9f5e8 |
Calldata:
cast calldata "setAlgorithm(uint8,address)" 7 0x58E0383E21f25DaB957F6664240445A514E9f5e8
After execution, confirm:
cast call 0x0fc3152971714E5ed7723FAFa650F86A4BaF30C5 "algorithms(uint8)(address)" 7
# Expected: 0x58E0383E21f25DaB957F6664240445A514E9f5e8
EXECUTED