RHEL9+, RSASHA1 and CVE-2025-8677

Ondřej Surý ondrej at isc.org
Fri Oct 31 12:28:18 UTC 2025 

Thanks, that’s helpful, I guess it should be possible to setup something like this on our own.

Thinking aloud - perhaps it is the combination of valid and invalid algorithm (aka unfinished algorithm rollover) that is broken?

We will look into this.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 31. 10. 2025, at 13:25, sthaug at nethelp.no wrote:
> 
> 
>> 
>> Can we have a couple of reproducers please?
>> 
>> We do run tests on RHEL-like 8,9,10 and no current test caught failure like that, so having a solid reproducer would be nice.
> 
> The zone in question is globalconnect.no, which currently has 2 DNSKEY
> alg 7 (ZSK and KSK), and 2 DNSKEY alg 13:
> 
> globalconnect.no.       86400 IN DNSKEY 256 3 13 (
>                                PgfR2bY3UuhvNMY5iwh0lBAunsF+1U5rTMCPJpe2yyEn
>                                Gz7Uf0ZAW4Y+gHJ7dyhuZy4IrCLdr8oQtPXa/z8IdA==
>                                ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 11766
> globalconnect.no.       86400 IN DNSKEY 257 3 7 (
>                                AwEAAcohltTqte+Dh5ILQQJc6H+hptQDzfwd3IKJCvUL
>                                8EOolAOBnXKxExA1rDCvLdk5OUQhp3kG4JAmOjQVefCN
>                                d/1GrfIEDnQ4e4NvRCgQEudb4MjOetwlRC6thFYiP5no
>                                bzc4kiQpTWBNwDZVG0JUhWbJe6qlg+ltf3DvJqBNv97t
>                                k7SER7GpBeQP/xC7M9l6P1Lg0+VUecO0RKJSv1weFcsD
>                                6bKpEZEvVWznxdS4poi+jXCtw+n2Tz0ThEv5/+bbPjqU
>                                jal1m0Y/ikjmuNSQFPYTLpzYzFHrtNOCr0zB3IYjBTEt
>                                qvhYP6qM90Qf9k7QJqFA5+W8xNBJi5qmP6LJq0M=
>                                ) ; KSK; alg = NSEC3RSASHA1 ; key id = 57648
> globalconnect.no.       86400 IN DNSKEY 257 3 13 (
>                                DiJpDhQC3P+Wl/XgG+tcUE7Vkg4LlOEUeLW7DyMqghVG
>                                4Fb8mQcDE47l+czT7F1e5OF+mNVI3Iwhl0NQ2iXlpw==
>                                ) ; KSK; alg = ECDSAP256SHA256 ; key id = 17792
> globalconnect.no.       86400 IN DNSKEY 256 3 7 (
>                                AwEAAb8QfXz1Unqt6DOAN2WfpG2/4AE+X1nXbf2e17GM
>                                /UfHFvVMvSBxzZjKH7tms9pbMHK8aKBj9J1K88he0TWn
>                                LDH4/F7BcQkPziAFUmP8hWWukjrDTgi+mwG5Vc144K7w
>                                HogAu0ZuRQUr0Nb8cBNg9Qc9XqbsXGIcRScoyfrncqV6
>                                fKjFGHtmCMYLKhfljrA7uVlZJ6hIlLFhIBhlquDovn9P
>                                ERnhkJAtqyPi3wN29hiSXapGGY0FDPu/6lBi8Eubu2Lq
>                                OdtgkH781orUvXX2YmeOa6yqvq5GzUYjG8FqDEoQ1i+O
>                                LoxihH5eWEn++f/XS2SdFMwXzW+zT9nyz8gyLSU=
>                                ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 2690
> 
> I discovered the problem this morning (Norwegian time) because I tried to
> send an email to user at globalconnect.no from MY home (on Telenor Internet),
> and got a SERVFAIL from Bjørn's resolvers.
> 
> Note that globalconnect.no is in the process of being updated, removing
> the alg 7 DNSKEYs, so I don't know for how much longer you'll be able to
> see this.
> 
> Steinar Haug, AS2116

More information about the bind-users mailing list