<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Wolfgang,<br>
</p>
<p>I would suggest using policy DEFAULT:SHA1 instead. It does not
enable all outdated algorithms, but enables only SHA1 in addition.
Good choice for dedicated DNS servers.<br>
</p>
<p>$ update-crypto-policies --set DEFAULT:SHA1<br>
</p>
<p>With my bind maintainer hat on, I need to clarify that it was
ensured SHA1 disabling does not cause fatal errors with default
Red Hat provided configuration. The magic happens in include
provided by the system:</p>
<p>include "/etc/crypto-policies/back-ends/bind.config";</p>
<p>That ensures SHA1 algorithm is disabled, making SHA1 signed
content just unsigned, but otherwise resolvable. When you change
policy to DEFAULT:SHA1, it should make SHA1 enabled again
automatically. Making it secure again.</p>
<p>If you have custom named configuration, I would recommend to
include crypto-policies snippet in your options {} block. Unless
you are prepared to handle it manually of course.</p>
<p>The above should work for our RHEL9 supported versions (and
derived rebuilds) and also for ISC provided builds or your own
builds. Newer stable BIND releases have built-in autodetection of
SHA1 support, which makes it not necessary. But it is not error to
include that anyway.<br>
</p>
<p>Best Regards,<br>
Petr<br>
</p>
<div class="moz-cite-prefix">On 12/15/23 13:21, Wolfgang Riedel via
bind-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8DCEB593-44E0-41D9-B3A1-50C3BA36294C@f1-consult.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div>Hello,</div>
<div><br>
</div>
<div>To answer my own question, the following will work:</div>
<div><br>
</div>
<div>
<div style="display: block;">
<div
style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;"
class="apple-rich-link" draggable="true" role="link"
data-url="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening">
<a
style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:228px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;"
class="lp-rich-link" rel="nofollow"
href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening"
dir="ltr" role="button" draggable="false" width="228"
moz-do-not-send="true">
<table
style="table-layout:fixed;border-collapse:collapse;width:228px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;"
class="lp-rich-link-emailBaseTable" width="228"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td vertical-align="center" align="center"><img
style="width:227px;filter:brightness(0.97);height:227px;"
draggable="false"
class="lp-rich-link-mediaImage"
alt="shadowman-200.png"
src="cid:part1.YPP0Qm1K.kwbamg60@redhat.com"
width="227" height="227"></td>
</tr>
<tr>
<td vertical-align="center">
<table
style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);"
class="lp-rich-link-captionBar" width="228"
cellspacing="0" cellpadding="0"
bgcolor="#E5E6E9">
<tbody>
<tr>
<td style="padding:8px 0px 8px 0px;"
class="lp-rich-link-captionBar-textStackItem">
<div
style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;"
class="lp-rich-link-captionBar-textStack">
<div
style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-topCaption-leading">
<a rel="nofollow"
href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening"
style="text-decoration: none"
draggable="false"
moz-do-not-send="true"><font
style="color: rgba(0, 0, 0, 0.847059);" color="#272727">Chapter 4. Using
system-wide cryptographic policies
Red Hat Enterprise Linux 8 | Red
Hat Customer Portal</font></a></div>
<div
style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-bottomCaption-leading">
<a rel="nofollow"
href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening"
style="text-decoration: none"
draggable="false"
moz-do-not-send="true"><font
style="color: rgba(0, 0, 0, 0.498039);" color="#808080">access.redhat.com</font></a></div>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
</div>
<br>
</div>
<div><br>
</div>
<div>With:dnssec-validation auto;</div>
<div><br>
</div>
<div><br>
</div>
<div><u>Not working:</u></div>
<div>sudo update-crypto-policies —show</div>
<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">DEFAULT</span></div>
<div><br>
</div>
<div>
<div><u>working:</u></div>
<div>update-crypto-policies --set LEGACY</div>
</div>
<div><br>
</div>
<div>
<div>sudo update-crypto-policies --show </div>
<div>LEGACY</div>
</div>
<br id="lineBreakAtBeginningOfMessage">
<div><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">—</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Cheers,</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Wolfgang</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">_____________________________________</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">_____________________________________</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">____________________</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Wolfgang
Riedel | Distinguished</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;"> </span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); float: none; display: inline !important;">Engineer
| CCIE #13804 | VCP #42559</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<br>
</div>
<div><br>
<blockquote type="cite">
<div>On 15. Dec 2023, at 12:46, Wolfgang Riedel via bind-users
<a class="moz-txt-link-rfc2396E" href="mailto:bind-users@lists.isc.org"><bind-users@lists.isc.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div
style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
Hello Petr,
<div><br>
</div>
<div>The issue is not just BIND local, as you can see on <a
href="http://dnsviz.net/" moz-do-not-send="true">
dnsviz.net</a>.</div>
<div>The whole chain of trust is broken.</div>
<div><br>
</div>
<div>
<div style="display: block;">
<div
style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;"
class="apple-rich-link" draggable="true" role="link"
data-url="https://dnsviz.net/d/nist.gov/dnssec/">
<a
style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;"
class="lp-rich-link" rel="nofollow"
href="https://dnsviz.net/d/nist.gov/dnssec/"
dir="ltr" role="button" draggable="false"
width="300" moz-do-not-send="true">
<table
style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;"
class="lp-rich-link-emailBaseTable" width="300"
cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td vertical-align="center">
<table
style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);"
class="lp-rich-link-captionBar"
width="300" cellspacing="0"
cellpadding="0" bgcolor="#E5E6E9">
<tbody>
<tr>
<td style="padding:8px 0px 8px 0px;"
class="lp-rich-link-captionBar-textStackItem">
<div
style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;"
class="lp-rich-link-captionBar-textStack">
<div
style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-topCaption-leading">
<a rel="nofollow"
href="https://dnsviz.net/d/nist.gov/dnssec/"
style="text-decoration: none" draggable="false" moz-do-not-send="true"><font
style="" color="#272727">nist.gov</font></a></div>
<div
style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-bottomCaption-leading">
<a rel="nofollow"
href="https://dnsviz.net/d/nist.gov/dnssec/"
style="text-decoration: none" draggable="false" moz-do-not-send="true"><font
style="" color="#808080">dnsviz.net</font></a></div>
</div>
</td>
<td
style="padding:6px 12px 6px 0px;"
class="lp-rich-link-captionBar-rightIconItem" width="36">
<a rel="nofollow"
href="https://dnsviz.net/d/nist.gov/dnssec/" draggable="false"
moz-do-not-send="true"><span
id="cid:F6A95672-5626-44C5-9874-7FEAFA393D53"><logo_16x16.png></span></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
</div>
<br>
</div>
<div>
<div><span style="caret-color: rgb(0, 0, 0);">My
question is more how you all deal with the fact on
current and updates systems???</span></div>
<div><br>
</div>
<div><br>
</div>
<div>Attached the requested information.</div>
<div><br>
</div>
<div><br>
</div>
<div><u>1) Error Messages:</u></div>
<div><br>
</div>
<div>
<div>15-Dec-2023 12:36:38.772 lame-servers: info:
insecurity proof failed resolving
'nist.gov/DNSKEY/IN': 2600:1480:800::43#53</div>
<div>15-Dec-2023 12:36:39.302 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2600:1401:1::42#53</div>
<div>15-Dec-2023 12:36:40.151 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2610:20:6b01:3::10#53</div>
<div>15-Dec-2023 12:36:40.681 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2600:1401:2::d8#53</div>
<div>15-Dec-2023 12:36:40.779 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2600:1480:9000::40#53</div>
<div>15-Dec-2023 12:36:41.304 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2600:1406:32::43#53</div>
<div>15-Dec-2023 12:36:41.321 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2600:1480:f000::41#53</div>
<div>15-Dec-2023 12:36:41.784 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2610:20:6005:92::10#53</div>
<div>15-Dec-2023 12:36:41.828 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
2.22.230.67#53</div>
<div>15-Dec-2023 12:36:43.094 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
132.163.3.10#53</div>
<div>15-Dec-2023 12:36:43.148 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
193.108.91.216#53</div>
<div>15-Dec-2023 12:36:43.237 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
72.246.46.64#53</div>
<div>15-Dec-2023 12:36:43.288 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
23.61.199.67#53</div>
<div>15-Dec-2023 12:36:43.305 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
184.26.160.65#53</div>
<div>15-Dec-2023 12:36:43.771 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
129.6.92.10#53</div>
<div>15-Dec-2023 12:36:43.823 lame-servers: info: no
valid RRSIG resolving 'nist.gov/DNSKEY/IN':
23.211.133.66#53</div>
<div>15-Dec-2023 12:36:43.824 lame-servers: info:
broken trust chain resolving '<a class="moz-txt-link-abbreviated" href="http://www.nist.gov/A/IN">www.nist.gov/A/IN</a>':
2610:20:6005:92::10#53</div>
<div>15-Dec-2023 12:36:45.905 lame-servers: info:
broken trust chain resolving '<a class="moz-txt-link-abbreviated" href="http://www.nist.gov/A/IN">www.nist.gov/A/IN</a>':
2600:1480:f000::41#53</div>
<div>15-Dec-2023 12:36:47.403 lame-servers: info:
broken trust chain resolving 'csrc.nist.gov/A/IN':
2600:1480:f000::41#53</div>
</div>
<div><br>
</div>
<div>
<div>15-Dec-2023 12:38:26.064 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3a::1#53</div>
<div>15-Dec-2023 12:38:26.880 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3d::1#53</div>
<div>15-Dec-2023 12:38:27.148 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.62.1#53</div>
<div>15-Dec-2023 12:38:27.415 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.60.1#53</div>
<div>15-Dec-2023 12:38:27.753 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.61.1#53</div>
<div>15-Dec-2023 12:38:27.770 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.63.1#53</div>
<div>15-Dec-2023 12:38:28.037 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3c::1#53</div>
<div>15-Dec-2023 12:41:23.114 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3d::1#53</div>
<div>15-Dec-2023 12:41:23.380 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3a::1#53</div>
<div>15-Dec-2023 12:41:23.648 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.62.1#53</div>
<div>15-Dec-2023 12:41:23.986 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.61.1#53</div>
<div>15-Dec-2023 12:41:24.003 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.63.1#53</div>
<div>15-Dec-2023 12:41:24.270 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
65.22.60.1#53</div>
<div>15-Dec-2023 12:41:24.538 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3c::1#53</div>
<div>15-Dec-2023 12:41:24.636 lame-servers: info: no
valid RRSIG resolving 'apple/DNSKEY/IN':
2a01:8840:3b::1#53</div>
<div>15-Dec-2023 12:41:24.636 lame-servers: info:
broken trust chain resolving
'safebrowsing.apple/DS/IN': 2a01:8840:3d::1#53</div>
<div>15-Dec-2023 12:41:24.636 lame-servers: info:
broken trust chain resolving
'proxy.safebrowsing.apple/HTTPS/IN': 17.253.200.1#53</div>
<div>15-Dec-2023 12:41:24.636 lame-servers: info:
broken trust chain resolving
'token.safebrowsing.apple/HTTPS/IN': 17.253.200.1#53</div>
<div>15-Dec-2023 12:41:24.636 lame-servers: info:
broken trust chain resolving
'proxy.safebrowsing.apple/A/IN': 17.253.200.1#53</div>
<div>15-Dec-2023 12:41:24.636 lame-servers: info:
broken trust chain resolving
'token.safebrowsing.apple/A/IN': 17.253.200.1#53</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><u>2) Info about our Recursive Resolvers</u></div>
<div><br>
</div>
<div>Everything out of the box, native Rocky Linux 9
distribution installation.</div>
<div><br>
</div>
<div>
<div>cat /etc/*release</div>
<div>NAME="Rocky Linux"</div>
<div>VERSION="9.3 (Blue Onyx)"</div>
<div>ID="rocky"</div>
<div>ID_LIKE="rhel centos fedora"</div>
<div>VERSION_ID="9.3"</div>
<div>PLATFORM_ID="platform:el9"</div>
<div>PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"</div>
<div>ANSI_COLOR="0;32"</div>
<div>LOGO="fedora-logo-icon"</div>
<div>CPE_NAME="cpe:/o:rocky:rocky:9::baseos"</div>
<div>HOME_URL=<a class="moz-txt-link-rfc2396E" href="https://rockylinux.org/">"https://rockylinux.org/"</a></div>
<div>BUG_REPORT_URL=<a class="moz-txt-link-rfc2396E" href="https://bugs.rockylinux.org/">"https://bugs.rockylinux.org/"</a></div>
<div>SUPPORT_END="2032-05-31"</div>
<div>ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"</div>
<div>ROCKY_SUPPORT_PRODUCT_VERSION="9.3"</div>
<div>REDHAT_SUPPORT_PRODUCT="Rocky Linux"</div>
<div>REDHAT_SUPPORT_PRODUCT_VERSION="9.3"</div>
<div>Rocky Linux release 9.3 (Blue Onyx)</div>
<div>Rocky Linux release 9.3 (Blue Onyx)</div>
<div>Rocky Linux release 9.3 (Blue Onyx)</div>
</div>
<div><br>
</div>
<div>
<div style="caret-color: rgb(0, 0, 0);">
<div>named -v</div>
<div>BIND 9.16.23-RH (Extended Support Version)
<id:fde3b1f></div>
</div>
<div style="caret-color: rgb(0, 0, 0);"><br>
</div>
<div style="caret-color: rgb(0, 0, 0);">
<div>openssl version</div>
<div>OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL
3.0.7 1 Nov 2022)</div>
</div>
<div style="caret-color: rgb(0, 0, 0);"><br>
</div>
<div style="caret-color: rgb(0, 0, 0);">Out of the box
/etc/ssl/openssl.cnf</div>
</div>
<div><br>
</div>
<div>ls -lah /proc/sys/crypto/fips_enabled</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><u>3) More reading about the common issue:</u></div>
<div><br>
</div>
<div>
<div style="display: block;">
<div
style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;"
class="apple-rich-link" draggable="true"
role="link"
data-url="https://bugzilla.redhat.com/show_bug.cgi?id=2073066">
<a
style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;"
class="lp-rich-link" rel="nofollow"
href="https://bugzilla.redhat.com/show_bug.cgi?id=2073066" dir="ltr"
role="button" draggable="false" width="300"
moz-do-not-send="true">
<table
style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;"
class="lp-rich-link-emailBaseTable"
width="300" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td vertical-align="center">
<table
style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);"
class="lp-rich-link-captionBar"
width="300" cellspacing="0"
cellpadding="0" bgcolor="#E5E6E9">
<tbody>
<tr>
<td
style="padding:8px 0px 8px 0px;"
class="lp-rich-link-captionBar-textStackItem">
<div
style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;"
class="lp-rich-link-captionBar-textStack">
<div
style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-topCaption-leading">
<a rel="nofollow"
href="https://bugzilla.redhat.com/show_bug.cgi?id=2073066"
style="text-decoration: none" draggable="false" moz-do-not-send="true"><font
style="" color="#272727">2073066
– (el9_dnssec_sha1)
SHA-1 DNSSEC signatures
are broken in DEFAULT
crypto-policy</font></a></div>
<div
style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-bottomCaption-leading">
<a rel="nofollow"
href="https://bugzilla.redhat.com/show_bug.cgi?id=2073066"
style="text-decoration: none" draggable="false" moz-do-not-send="true"><font
style="" color="#808080">bugzilla.redhat.com</font></a></div>
</div>
</td>
<td
style="padding:6px 12px 6px 0px;"
class="lp-rich-link-captionBar-rightIconItem" width="36">
<br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
</div>
<div style="display: block;">
<div style="display: block;">
<div
style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;"
class="apple-rich-link" draggable="true"
role="link"
data-url="https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en">
<a
style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;"
class="lp-rich-link" rel="nofollow"
href="https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en"
dir="ltr" role="button" draggable="false"
width="300" moz-do-not-send="true">
<table
style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#E5E6E9;font-family:-apple-system, Helvetica, Arial, sans-serif;"
class="lp-rich-link-emailBaseTable"
width="300" cellspacing="0" cellpadding="0"
border="0">
<tbody>
<tr>
<td vertical-align="center">
<table
style="font-family:-apple-system, Helvetica, Arial, sans-serif;table-layout:fixed;background-color:rgba(229, 230, 233, 1);"
class="lp-rich-link-captionBar"
width="300" cellspacing="0"
cellpadding="0" bgcolor="#E5E6E9">
<tbody>
<tr>
<td
style="padding:8px 0px 8px 0px;"
class="lp-rich-link-captionBar-textStackItem">
<div
style="max-width:100%;margin:0px 16px 0px 16px;overflow:hidden;"
class="lp-rich-link-captionBar-textStack">
<div
style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-topCaption-leading">
<a rel="nofollow"
href="https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en"
style="text-decoration: none" draggable="false" moz-do-not-send="true"><font
style=""
color="#272727">It’s
Time to Move Away From
Using SHA-1 in the DNS</font></a></div>
<div
style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;"
class="lp-rich-link-captionBar-textStack-bottomCaption-leading">
<a rel="nofollow"
href="https://www.icann.org/en/blogs/details/its-time-to-move-away-from-using-sha-1-in-the-dns-24-1-2020-en"
style="text-decoration: none" draggable="false" moz-do-not-send="true"><font
style=""
color="#808080">icann.org</font></a></div>
</div>
</td>
<td
style="padding:6px 12px 6px 0px;"
class="lp-rich-link-captionBar-rightIconItem" width="36">
<br>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</a></div>
</div>
<div style="display: block;"><br>
</div>
<div style="display: block;">
<ul style="caret-color: rgb(0, 0, 0);">
<li>SHA1 cryptographic hash algorithm was
introduced in 1995 and is now considered to be
too weak to properly secure public web sites.
As such, it is being deprecated.</li>
<li>Subsequent versions of Chrome will turn up
the heat on SHA1 use.</li>
<li>Windows will stop accepting SHA1 end-entity
certificates by January 1, 2017.</li>
<li>Windows CAs should stop issuing new SHA1 SSL
end-entity certificates by January 1, 2016.
The reason being that certificates are valid
for a minimum of 1 year. Since the generally
accepted date for deprecation is Jan 1, 2017,
SHA1 certs should not be created after Jan 1,
2016, because the expiration date of the
certificate would be past the deprecation
date.</li>
<li>See the Microsoft KB article for specifics
on code signing certificates.</li>
<li>Microsoft is going to reevaluate their
policy in July, 2015</li>
<li>Mozilla has stated that they are in
agreement with Microsoft and Google and that
SHA1 certificates should not be issued after
Jan 1, 2016 or trusted after Jan 1, 2017. They
will phase in varying degrees of messages
moving forward. After Jan 1, 2017 Firefox will
show SHA1 protected sites as untrusted.</li>
</ul>
</div>
</div>
</div>
<div>
<div><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">—</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">Cheers,</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">Wolfgang</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">_____________________________________</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">_____________________________________</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">____________________</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0);">
<span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">Wolfgang
Riedel | Distinguished</span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;"> </span><span
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0); float: none; display: inline !important;">Engineer
| CCIE #13804 | VCP #42559</span><br
style="font-family: Consolas; font-size: 11px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; caret-color: rgb(0, 0, 0);">
<br>
</div>
<div>
<blockquote type="cite">
<div>On 14. Dec 2023, at 09:09, Petr Špaček
<a class="moz-txt-link-rfc2396E" href="mailto:pspacek@isc.org"><pspacek@isc.org></a> wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div>On 14. 12. 23 8:58, Wolfgang Riedel via
bind-users wrote:<br>
<blockquote type="cite">Hi Folks,<br>
I just wonder what's your take is on the
current DNSSec mess with SHA1?<br>
There are still a lot of top level domains
being signed with SHA1 and look like nobody
really cares?<br>
Current OS releases like RHEL9 and others
simply removed SHA1 from the code so if
you're running BIND with "dnssec-validation
auto" all those domains fails to resolve and
the only way is to "dnssec-validation no"
which eliminated the whole idea of DNSSec!<br>
The worst is that even nist.gov fails WFT!<br>
<a class="moz-txt-link-freetext" href="https://dnsviz.net/d/nist.gov/dnssec/">https://dnsviz.net/d/nist.gov/dnssec/</a><br>
Any advice or ideas?<br>
</blockquote>
<br>
Given the lack of details it's hard to say.
Widespread DNSSEC validation failures on RHEL
9 are not shared experience.<br>
<br>
Please provide:<br>
- **exact** version numbers<br>
- how you got the packages<br>
- which version of OpenSSL is in use, and how
it's configured<br>
- Is FIPS mode is in play or not?<br>
... and then we can get to diagnosing your
issue.<br>
<br>
-- <br>
Petr Špaček<br>
Internet Systems Consortium<br>
-- <br>
Visit
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list<br>
<br>
ISC funds the development of this software
with paid support subscriptions. Contact us at
<a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more
information.<br>
<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<span id="cid:63E88FD2-70A8-4778-AA1F-CAAF71171C51"><production.ico></span><span
id="cid:53411894-163E-4B48-9F5E-E8506502087F"><favicon.ico></span>--
<br>
Visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support
subscriptions. Contact us at <a class="moz-txt-link-freetext" href="https://www.isc.org/contact/">https://www.isc.org/contact/</a>
for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</div>
</blockquote>
</div>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer, RHEL
Red Hat, <a class="moz-txt-link-freetext" href="https://www.redhat.com/">https://www.redhat.com/</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>