RHEL9+, RSASHA1 and CVE-2025-8677
Petr Menšík
pemensik at redhat.com
Fri Oct 31 12:25:45 UTC 2025
Can you please share a public domain name where this can be tested? I
promise we won't steal it from you. I can create some for testing, but
that would delay delivering fixes even more.
No, it should not happen and is undesired issue if it does. I admit we
run bind9 test suite with DEFAULT:SHA1 policy to avoid unexpected false
positives. If we had this fixed properly, it might have warned us. But
we are still preparing unmodified upstream fixes. This seems like a
regression we want to fix too.
I admit we do not have any our test doing validation of disabled and
supported algorithm at the same time. It seems like one should be
created ASAP.
On 31/10/2025 13:05, sthaug at nethelp.no wrote:
>> No. Algorithm 5 and 7 are skipped earlier and should never reach the
>> code affected.
> However, the observed behavior, which started this, is that a zone
> signed with both algorithm 7 and algorithm 13, failed. The client
> (me) received SERVFAIL.
>
>> No crypto policy will change any of this, you do not have to lower
>> your security defaults to avoid that.
> Well, the policy change that Bjørn made definitely make the zone
> in question resolve again.
>
>> Please wait few days, proper fixed are on the way!
> Unfortunately the real world doesn't have that kind of patience.
>
> Steinar Haug, AS2116
It is our current top priority and I cannot comment it more.
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
More information about the bind-users
mailing list