Does Unbound + RHEL9 still perform SHA-1 verification?

FG NN kazan.furin.shingen at gmail.com
Fri Mar 7 02:09:47 UTC 2025 

Dear Paul

Thank you very much.
I do not want to enable SHA-1.
I just want to know why SERVFAIL is returned for Unbound on a system where
SHA-1 is supposed to be disabled.
The dnssec-failed.org is BOGUS, but on RHEL 9 it should be Insecure.

2025年3月7日(金) 10:18 Paul Wouters <paul at nohats.ca>:

> update-crypto-policies —set LEGECY
> systemctl unbound restart
>
> Paul
>
> Sent using a virtual keyboard on a phone
>
> On Mar 6, 2025, at 19:11, FG NN via Unbound-users <
> unbound-users at lists.nlnetlabs.nl> wrote:
>
> 
> Hello.
> I am currently testing Unbound.
> My environment is
> ・RHEL 9.5
> ・Unbound 1.22.0
> I got the tarball from “
> https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz” and built
> it with the option “--enable-systemd --with-libevent”.
> My unbound.conf is as follows
> ---
> server:
>     interface: ens192
>     interface: 127.0.0.1
>     port: 53
>     msg-cache-slabs: 4
>     rrset-cache-slabs: 4
>     infra-cache-slabs: 4
>     key-cache-slabs: 4
>
>     so-reuseport: yes
>     outgoing-num-tcp: 1000
>     incoming-num-tcp: 1000
>     msg-cache-size: 128m
>     rrset-cache-size: 256m
>     num-queries-per-thread: 2048
>
>     do-ip6: no
>     do-daemonize: no
>     access-control: 192.168.0.0/16 allow
>     infra-cache-slabs: 4
>     key-cache-slabs: 4
>
>     so-reuseport: yes
>     outgoing-num-tcp: 1000
>     incoming-num-tcp: 1000
>     msg-cache-size: 128m
>     rrset-cache-size: 256m
>     num-queries-per-thread: 2048
>
>     do-ip6: no
>     do-daemonize: no
>
>     access-control: 127.0.0.0/8 allow
>     access-control: 192.168.0.0/16 allow
>
>     private-address: 192.168.0.0/16
>
>     auto-trust-anchor-file: "/usr/local/etc/unbound/files/root.key"
>     root-hints: "/usr/local/etc/unbound/files/named.root"
>
> remote-control:
>     control-enable: yes
>     control-interface: 127.0.0.1
> ---
>
> When attempting to resolve the name “”dnssec-failed.org“”, which is
> signed with SHA-1, “SERVFAIL” is returned.
> ---
> # dig @127.0.0.1 dnssec-failed.org +dnssec
>
> ; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 dnssec-failed.org +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23429
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;dnssec-failed.org.             IN      A
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Thu Mar 06 14:28:14 JST 2025
> ;; MSG SIZE  rcvd: 46
> ---
> The result is the same after executing “update-crypto-policies --set
> DEFAULT:NO-SHA1”.
> (To begin with, SHA-1 is disabled in RHEL 9 by default.)
> Normally, I have heard that in this case, the unbound will reply “NOERROR”
> as “Insecure”.
> https://github.com/NLnetLabs/unbound/pull/660
> Is there a problem with my configuration that is causing the SERVFAIL?
> I know that if I just want to receive “NOERROR” as “Insecure”, I can
> disable SHA-1 by adding the --disable-sha1 build option.
> This is just a question for personal interest, but I hope someone can
> answer it for me.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250307/88723550/attachment-0001.htm>

More information about the Unbound-users mailing list