Time to re-evaluate the default SHA1 policies on RHEL... Quoting from https://bind9.readthedocs.io/en/v9.20.15/notes.html#security-fixes
DNSSEC validation fails if matching but invalid DNSKEY is found. (CVE-2025-8677) Previously, if a matching but cryptographically invalid key was encountered during DNSSEC validation, the key was skipped and not counted towards validation failures. named now treats such DNSSEC keys as hard failures and the DNSSEC validation fails immediately, instead of continuing with the next DNSKEYs in the RRset. IIUC, this means that any zone with a RSASHA1 key will now fail validation on Redhat systems using default policies, even if other keys are present. Is that correct? Is it intentional? If correct, then I believe it will break a number of zones with leftover RSASHA1 keys and signatures. Anyone still having such keys in their zones should purge them ASAP. And resolver operators running BIND on RHEL9 should consider running update-crypto-policies --set DEFAULT:SHA1 to prevent unexpected failures. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
