Does Unbound + RHEL9 still perform SHA-1 verification?

FG NN kazan.furin.shingen at gmail.com
Fri Mar 7 00:11:06 UTC 2025 

Hello.
I am currently testing Unbound.
My environment is
・RHEL 9.5
・Unbound 1.22.0
I got the tarball from “
https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz” and built it
with the option “--enable-systemd --with-libevent”.
My unbound.conf is as follows
---
server:
    interface: ens192
    interface: 127.0.0.1
    port: 53
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4

    so-reuseport: yes
    outgoing-num-tcp: 1000
    incoming-num-tcp: 1000
    msg-cache-size: 128m
    rrset-cache-size: 256m
    num-queries-per-thread: 2048

    do-ip6: no
    do-daemonize: no
    access-control: 192.168.0.0/16 allow
    infra-cache-slabs: 4
    key-cache-slabs: 4

    so-reuseport: yes
    outgoing-num-tcp: 1000
    incoming-num-tcp: 1000
    msg-cache-size: 128m
    rrset-cache-size: 256m
    num-queries-per-thread: 2048

    do-ip6: no
    do-daemonize: no

    access-control: 127.0.0.0/8 allow
    access-control: 192.168.0.0/16 allow

    private-address: 192.168.0.0/16

    auto-trust-anchor-file: "/usr/local/etc/unbound/files/root.key"
    root-hints: "/usr/local/etc/unbound/files/named.root"

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
---

When attempting to resolve the name “”dnssec-failed.org“”, which is signed
with SHA-1, “SERVFAIL” is returned.
---
# dig @127.0.0.1 dnssec-failed.org +dnssec

; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23429
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 06 14:28:14 JST 2025
;; MSG SIZE  rcvd: 46
---
The result is the same after executing “update-crypto-policies --set
DEFAULT:NO-SHA1”.
(To begin with, SHA-1 is disabled in RHEL 9 by default.)
Normally, I have heard that in this case, the unbound will reply “NOERROR”
as “Insecure”.
https://github.com/NLnetLabs/unbound/pull/660
Is there a problem with my configuration that is causing the SERVFAIL?
I know that if I just want to receive “NOERROR” as “Insecure”, I can
disable SHA-1 by adding the --disable-sha1 build option.
This is just a question for personal interest, but I hope someone can
answer it for me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250307/63a4a9e7/attachment.htm>

More information about the Unbound-users mailing list