RHEL9+, RSASHA1 and CVE-2025-8677
sthaug at nethelp.no
sthaug at nethelp.no
Fri Oct 31 12:05:05 UTC 2025
> No. Algorithm 5 and 7 are skipped earlier and should never reach the
> code affected.
However, the observed behavior, which started this, is that a zone
signed with both algorithm 7 and algorithm 13, failed. The client
(me) received SERVFAIL.
> No crypto policy will change any of this, you do not have to lower
> your security defaults to avoid that.
Well, the policy change that Bjørn made definitely make the zone
in question resolve again.
> Please wait few days, proper fixed are on the way!
Unfortunately the real world doesn't have that kind of patience.
Steinar Haug, AS2116
More information about the bind-users
mailing list