<div dir="ltr"><div>Dear Paul</div><div><br></div>Thank you very much.<br>I do not want to enable SHA-1.<br>I just want to know why SERVFAIL is returned for Unbound on a system where SHA-1 is supposed to be disabled.<br>The <a href="http://dnssec-failed.org">dnssec-failed.org</a> is BOGUS, but on RHEL 9 it should be Insecure.</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">2025年3月7日(金) 10:18 Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">update-crypto-policies —set LEGECY<div>systemctl unbound restart</div><div><br></div><div>Paul</div><div><br id="m_1218535745945503603lineBreakAtBeginningOfSignature"><div dir="ltr">Sent using a virtual keyboard on a phone</div><div dir="ltr"><br><blockquote type="cite">On Mar 6, 2025, at 19:11, FG NN via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr">Hello.<br>I am currently testing Unbound.<br>My environment is<br>・RHEL 9.5<br>・Unbound 1.22.0<br>I got the tarball from “<a href="https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz" target="_blank">https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz</a>” and built it with the option “--enable-systemd --with-libevent”.<br>My unbound.conf is as follows<br>---<br>server:<br>    interface: ens192<br>    interface: 127.0.0.1<br>    port: 53<br>    msg-cache-slabs: 4<br>    rrset-cache-slabs: 4<br>    infra-cache-slabs: 4<br>    key-cache-slabs: 4<br><br>    so-reuseport: yes<br>    outgoing-num-tcp: 1000<br>    incoming-num-tcp: 1000<br>    msg-cache-size: 128m<br>    rrset-cache-size: 256m<br>    num-queries-per-thread: 2048<br><br>    do-ip6: no<br>    do-daemonize: no<br>    access-control: <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> allow<br>    infra-cache-slabs: 4<br>    key-cache-slabs: 4<br><br>    so-reuseport: yes<br>    outgoing-num-tcp: 1000<br>    incoming-num-tcp: 1000<br>    msg-cache-size: 128m<br>    rrset-cache-size: 256m<br>    num-queries-per-thread: 2048<br><br>    do-ip6: no<br>    do-daemonize: no<br><br>    access-control: <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a> allow<br>    access-control: <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> allow                                            <br>    private-address: <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><br><br>    auto-trust-anchor-file: "/usr/local/etc/unbound/files/root.key"<br>    root-hints: "/usr/local/etc/unbound/files/named.root"<br><br>remote-control:<br>    control-enable: yes<br>    control-interface: 127.0.0.1<br>---<br><br>When attempting to resolve the name “”<a href="http://dnssec-failed.org" target="_blank">dnssec-failed.org</a>“”, which is signed with SHA-1, “SERVFAIL” is returned.<br>---<br># dig @<a href="http://127.0.0.1" target="_blank">127.0.0.1</a> <a href="http://dnssec-failed.org" target="_blank">dnssec-failed.org</a> +dnssec<br><br>; <<>> DiG 9.16.23-RH <<>> @<a href="http://127.0.0.1" target="_blank">127.0.0.1</a> <a href="http://dnssec-failed.org" target="_blank">dnssec-failed.org</a> +dnssec<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23429<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>;; QUESTION SECTION:<br>;<a href="http://dnssec-failed.org" target="_blank">dnssec-failed.org</a>.             IN      A<br><br>;; Query time: 0 msec<br>;; SERVER: 127.0.0.1#53(127.0.0.1)<br>;; WHEN: Thu Mar 06 14:28:14 JST 2025<br>;; MSG SIZE  rcvd: 46<br>---<br>The result is the same after executing “update-crypto-policies --set DEFAULT:NO-SHA1”. <br>(To begin with, SHA-1 is disabled in RHEL 9 by default.)<br>Normally, I have heard that in this case, the unbound will reply “NOERROR” as “Insecure”.<br><a href="https://github.com/NLnetLabs/unbound/pull/660" target="_blank">https://github.com/NLnetLabs/unbound/pull/660</a><br>Is there a problem with my configuration that is causing the SERVFAIL?<br>I know that if I just want to receive “NOERROR” as “Insecure”, I can disable SHA-1 by adding the --disable-sha1 build option.<br>This is just a question for personal interest, but I hope someone can answer it for me.<br></div>
</div></blockquote></div></div></blockquote></div>