Can you please share a public domain name where this can be tested? I
promise we won't steal it from you. I can create some for testing, but
that would delay delivering fixes even more.
No, it should not happen and is undesired issue if it does. I admit we
run bind9 test suite with DEFAULT:SHA1 policy to avoid unexpected false
positives. If we had this fixed properly, it might have warned us. But
we are still preparing unmodified upstream fixes. This seems like a
regression we want to fix too.
I admit we do not have any our test doing validation of disabled and
supported algorithm at the same time. It seems like one should be
created ASAP.
On 31/10/2025 13:05, [email protected] wrote:
No. Algorithm 5 and 7 are skipped earlier and should never reach the
code affected.
However, the observed behavior, which started this, is that a zone
signed with both algorithm 7 and algorithm 13, failed. The client
(me) received SERVFAIL.
No crypto policy will change any of this, you do not have to lower
your security defaults to avoid that.
Well, the policy change that Bjørn made definitely make the zone
in question resolve again.
Please wait few days, proper fixed are on the way!
Unfortunately the real world doesn't have that kind of patience.
Steinar Haug, AS2116
It is our current top priority and I cannot comment it more.
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
