DNSSEC validation in CentOS Stream 9

Josef Vybíhal josef.vybihal at gmail.com
Thu Sep 8 07:30:53 UTC 2022


Thanks! I now remember, I have seen Petr discussing something similar
on the Bind Users mailing list.

Josef

On Thu, Sep 8, 2022 at 9:20 AM Carsten Strotmann <carsten at strotmann.de> wrote:
>
> Hello Josef,
>
> On 8 Sep 2022, at 8:42, Josef Vybíhal via Unbound-users wrote:
>
> > Hello everyone,
> > maybe this will be obvious to some, but I have been scratching my head
> > about this since yesterday.
> >
> > In CentOS Stream 9, when unbound installed from Appstream, I see that
> > unbound returns insecure replies to clients. Which is not what I want,
> > nor what I am used to. I am thinking this might be a packaging bug,
> > compile option or config setting, but I can not figure out which and
> > where. I am testing with untouched rpm package config.
> >
> >
> > CentOS Stream 9 example:
> > [root at 18 ~]# dig sigfail.verteiltesysteme.net @127.1 +short
> > 134.91.78.139
> > [root at 18 ~]# unbound-host -C /etc/unbound/unbound.conf -v
> [...]
> > sigok.verteiltesysteme.net has address 134.91.78.139 (insecure)
> > sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure)
> > sigok.verteiltesysteme.net has no mail handler record (insecure)
> > [root at 18 ~]# unbound -V
> > Version 1.16.2
>
> Red Hat removed (almost all) SHA1 support from RHEL 9 (including CentOS), which makes DNSSEC zones signed with RSASHA1 treated as insecure:
>
> <https://access.redhat.com/solutions/6955455>
>
> This affects the Red Hat build versions of Unbound and BIND 9 (as a resolver).
>
> SHA1 for DNSSEC use is on its path to be deprecated <https://www.ietf.org/archive/id/draft-hardaker-dnsop-must-not-sha1-00.html>, but there are still zones that have not migrated to stronger DNSSEC algorithms.
>
> See the discussion on this mailing list for some background <https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-April/007709.html>
>
> Greetings
>
> Carsten


More information about the Unbound-users mailing list