RHEL9+, RSASHA1 and CVE-2025-8677

Bjørn Mork bjorn at mork.no
Fri Oct 31 13:20:09 UTC 2025 

I created an empty test zone demonstrating the issue at test.mork.no
since I assume Steinar want to fix globalconnect.no ASAP.

my test is using this policy

dnssec-policy "buggy" {
        keys {
                ksk lifetime unlimited algorithm ecdsa256;
                ksk lifetime unlimited algorithm rsasha1;
                zsk lifetime unlimited algorithm ecdsa256;
                zsk lifetime unlimited algorithm rsasha1;
        };
        purge-keys 0;   // never purge deleted keys
};

It looks like this on BIND 9.20.15 on Debian:


$ dig soa test.mork.no +do +multiline
 
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> soa test.mork.no +do +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33562
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e9034514aa89ecaf010000006904b6fc1d1d21c9dd0f3271 (good)
;; QUESTION SECTION:
;test.mork.no.          IN SOA
 
;; ANSWER SECTION:
test.mork.no.           42706 IN SOA dilbert.mork.no. bjorn.mork.no. (
                                2025103104 ; serial
                                14400      ; refresh (4 hours)
                                3600       ; retry (1 hour)
                                3628800    ; expire (6 weeks)
                                43200      ; minimum (12 hours)
                                )
test.mork.no.           42706 IN RRSIG SOA 5 3 43200 (
                                20251114130703 20251031120703 41785 test.mork.no.
                                KCp2cNNGa1WUFamqy1ybKkxynvnuSvms3cWD8d9/TAq2
                                XfkUiJxz4ccbZoS0wK3aa0mA1YiKANKlscrjpRkJw/RP
                                Qkw7Ci3hiIHlDd50DM2rSh74U7GdABrNUJcGuaKpj8DT
                                vNCH4nkJbxHehYhDe3jICVR710t4EHtuUn42tuJpjxLf
                                sv8N9oaVcdhv5pHmbgTSIQ3ZdRvgM954M4QPYCGPxYLP
                                iUf5rT8jeYw9gpCye5zgpld5kcJHDx9Sgb78y2OXRd+J
                                T2blFVgqTioFUQopFzIzGilRA6u4fnJcsItRtOYMNhSm
                                6cGjBpmPrKIW/vzA4K50AqUfsOIPhIeezw== )
test.mork.no.           42706 IN RRSIG SOA 13 3 43200 (
                                20251114130703 20251031120703 38456 test.mork.no.
                                gzbDNH4wWWdDD8WJu7rTW37RwGp+EBkPbiOZYZsOLnnk
                                Xm3oILf9dKUjq0T8yEDVqbjV39ZXOknj3ZpgGN3ZnQ== )
 
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 31 14:17:48 CET 2025
;; MSG SIZE  rcvd: 527
 



And like this on RHEL9 using default crypto policies:

$ dig soa test.mork.no +do +multiline @redacted
 
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> soa test.mork.no +do +multiline @ti0300o830-ipv4.ti.telenor.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35775
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: eb17c1af58c156fb010000006904b74f39c1351b58c1fde6 (good)
;; QUESTION SECTION:
;test.mork.no.          IN SOA
 
;; Query time: 200 msec
;; SERVER: redacted#53(redacted) (UDP)
;; WHEN: Fri Oct 31 14:19:11 CET 2025
;; MSG SIZE  rcvd: 69
 


Bjørn

More information about the bind-users mailing list