Unsupported DNSSEC algorithms should not lead to SERVFAIL.
Petr Menšík
pemensik at redhat.com
Tue Nov 4 12:21:42 UTC 2025
Unfortunately this is a rare moment, when Ondřej is not correct. This
affects all versions, which included fix for CVE-2025-8677. Yes, I
verified also our builds are affected. Fedora 9.18.41 contains the same
problem, but OpenSSL library does not prevent usage of 5 and 7
algorithms there. It is not visible.
But in any case, similar reports should contain delv +vtrace output from
your side. Especially because it should be able to reproduce it on any
system, which disables RSASHA1 and RSASHA1NSEC3 algorithms. But delv
tool shows wrong behaviour only on CentOS 9 or CentOS 10 derivatives. On
other systems it seems unaffected on the first glance.
Development version contains code modifications, which has similar
problem in a bit different place and with different fix needed. But
unlike original assumption it affects also stable versions.
Cheers,
Petr
On 30/10/2025 22:39, Ondřej Surý wrote:
> No, you have not been caught by this. The issue you are referring to affects only a development
> version of BIND 9 (9.21), so whatever you are experiencing is not related to this.
>
> You need to provide evidence (logs, reproducer) about what is going on, so we can help you
> diagnose the issue you are experiencing.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the bind-users
mailing list