Does Unbound + RHEL9 still perform SHA-1 verification?
FG NN
kazan.furin.shingen at gmail.com
Fri Mar 7 04:41:48 UTC 2025
Dear Paul
Thank you, Paul.
I understand.
2025年3月7日(金) 12:27 Paul Wouters <paul at nohats.ca>:
>
>
> On Mar 6, 2025, at 21:10, FG NN <kazan.furin.shingen at gmail.com> wrote:
>
>
> Dear Paul
>
> Thank you very much.
> I do not want to enable SHA-1.
> I just want to know why SERVFAIL is returned for Unbound on a system where
> SHA-1 is supposed to be disabled.
>
>
> Because unbound tries sha1 and gets an error from the crypto library. If
> you want unbound to treat sha1 as unsigned, there is either a compile time
> flag or runtime flag to do that.
>
> Paul
>
>
> The dnssec-failed.org is BOGUS, but on RHEL 9 it should be Insecure.
>
> 2025年3月7日(金) 10:18 Paul Wouters <paul at nohats.ca>:
>
>> update-crypto-policies —set LEGECY
>> systemctl unbound restart
>>
>> Paul
>>
>> Sent using a virtual keyboard on a phone
>>
>> On Mar 6, 2025, at 19:11, FG NN via Unbound-users <
>> unbound-users at lists.nlnetlabs.nl> wrote:
>>
>>
>> Hello.
>> I am currently testing Unbound.
>> My environment is
>> ・RHEL 9.5
>> ・Unbound 1.22.0
>> I got the tarball from “
>> https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz” and built
>> it with the option “--enable-systemd --with-libevent”.
>> My unbound.conf is as follows
>> ---
>> server:
>> interface: ens192
>> interface: 127.0.0.1
>> port: 53
>> msg-cache-slabs: 4
>> rrset-cache-slabs: 4
>> infra-cache-slabs: 4
>> key-cache-slabs: 4
>>
>> so-reuseport: yes
>> outgoing-num-tcp: 1000
>> incoming-num-tcp: 1000
>> msg-cache-size: 128m
>> rrset-cache-size: 256m
>> num-queries-per-thread: 2048
>>
>> do-ip6: no
>> do-daemonize: no
>> access-control: 192.168.0.0/16 allow
>> infra-cache-slabs: 4
>> key-cache-slabs: 4
>>
>> so-reuseport: yes
>> outgoing-num-tcp: 1000
>> incoming-num-tcp: 1000
>> msg-cache-size: 128m
>> rrset-cache-size: 256m
>> num-queries-per-thread: 2048
>>
>> do-ip6: no
>> do-daemonize: no
>>
>> access-control: 127.0.0.0/8 allow
>> access-control: 192.168.0.0/16 allow
>>
>> private-address: 192.168.0.0/16
>>
>> auto-trust-anchor-file: "/usr/local/etc/unbound/files/root.key"
>> root-hints: "/usr/local/etc/unbound/files/named.root"
>>
>> remote-control:
>> control-enable: yes
>> control-interface: 127.0.0.1
>> ---
>>
>> When attempting to resolve the name “”dnssec-failed.org“”, which is
>> signed with SHA-1, “SERVFAIL” is returned.
>> ---
>> # dig @127.0.0.1 dnssec-failed.org +dnssec
>>
>> ; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 dnssec-failed.org +dnssec
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23429
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1232
>> ;; QUESTION SECTION:
>> ;dnssec-failed.org. IN A
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Thu Mar 06 14:28:14 JST 2025
>> ;; MSG SIZE rcvd: 46
>> ---
>> The result is the same after executing “update-crypto-policies --set
>> DEFAULT:NO-SHA1”.
>> (To begin with, SHA-1 is disabled in RHEL 9 by default.)
>> Normally, I have heard that in this case, the unbound will reply
>> “NOERROR” as “Insecure”.
>> https://github.com/NLnetLabs/unbound/pull/660
>> Is there a problem with my configuration that is causing the SERVFAIL?
>> I know that if I just want to receive “NOERROR” as “Insecure”, I can
>> disable SHA-1 by adding the --disable-sha1 build option.
>> This is just a question for personal interest, but I hope someone can
>> answer it for me.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250307/a16cc521/attachment.htm>
More information about the Unbound-users
mailing list