ad flag missing, but no error messages
Graham Leggett
minfrin at sharp.fm
Sat Nov 9 12:23:39 UTC 2024
On 08 Nov 2024, at 13:34, Yorgos Thessalonikefs via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> I **think** you are hitting the system wide policies in RH9 that SHA1 is disabled by default.
>
> Can you try the suggestion on this link to bring it back?
> https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#proc_re-enabling-sha-1_using-the-system-wide-cryptographic-policies
>
> Since the zone is only signed with algorithm 7 (RSASHA1-NSEC3-SHA1), Unbound cannot validate it and instead treats it as insecure.
> That is why you get all the records back and no AD bit.
Went back to check this, and the current setting on the machine is LEGACY, so in theory SHA1 should still work.
[root at seawitch unbound]# update-crypto-policies --show
LEGACY
I then tried to build a completely vanilla unbound v1.22.0, yet this version fails to start complaining about:
fatal error: could not open autotrust file for writing, /root.key.10018-0-16059b0: Permission denied
The path /root.key.10018-0-16059b0 is weird - I would have expected it to be relative to the "/usr/local/etc/unbound/root.key" value, but somehow "/" is hardcoded somewhere in the code.
Regards,
Graham
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20241109/4b94c71d/attachment.htm>
More information about the Unbound-users
mailing list