Unsupported DNSSEC algorithms should not lead to SERVFAIL.

Petr Menšík pemensik at redhat.com
Fri Nov 7 09:40:34 UTC 2025 

I would recommend requesting downstream fixes in the mean time. Any 
distribution channel delivering bind packages can include patches 
already merged into bind-9.18 branch. They may not be aware the problem 
exists, because it happens only for less common domains.

Give them 
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11211 MR link 
to any your bind distributor and request fixes. They may arrive sooner 
than new bind release, but they have to know about the problem first.

If you build from sources, then use cherry-pick to include fixing commit 
from it on top of last release. What is what I do for Fedora packages 
for example.

I would not have noticed it myself if I were not included in cc by Bjørn 
Mork. I would be surprised if most of redistributors were unaware there 
is any problem at this moment.

Regards,
Petr

On 06/11/2025 19:58, Kelsey Cummings wrote:
> Ondřej, do you have an ETA for (9.18) releases which contain the fixes?
>
>
> On 11/4/2025 4:27 AM, Ondřej Surý wrote:
>> Agreed.
>>
>> I would suggest doing a full bug report into an issue next time and 
>> including all the relevant details instead of piggybacking on an 
>> internal issue.
>>
>> There is a subtle difference between #5570 and the issue reported 
>> below, and thus these are two distinct bugs.
>>
>> Ondrej
>> -- 
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>>
>> My working hours and your working hours may be different. Please do 
>> not feel obligated to reply outside your normal working hours.
>>
>>> On 4. 11. 2025, at 7:21, Petr Menšík via bind-users 
>>> <bind-users at lists.isc.org> wrote:
>>>
>>> Unfortunately this is a rare moment, when Ondřej is not correct. 
>>> This affects all versions, which included fix for CVE-2025-8677. 
>>> Yes, I verified also our builds are affected. Fedora 9.18.41 
>>> contains the same problem, but OpenSSL library does not prevent 
>>> usage of 5 and 7 algorithms there. It is not visible.
>>>
>>> But in any case, similar reports should contain delv +vtrace output 
>>> from your side. Especially because it should be able to reproduce it 
>>> on any system, which disables RSASHA1 and RSASHA1NSEC3 algorithms. 
>>> But delv tool shows wrong behaviour only on CentOS 9 or CentOS 10 
>>> derivatives. On other systems it seems unaffected on the first glance.
>>>
>>> Development version contains code modifications, which has similar 
>>> problem in a bit different place and with different fix needed. But 
>>> unlike original assumption it affects also stable versions.
>>>
>>> Cheers,
>>> Petr

-- 
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list