Thank you!
Yes, I think this slipped untested and is present not only in 9.20, but
also in 9.18 I just built.
Thank you for quick testing domain!
Yes, this passed on previous delv +vtrace test.mork.no., but fails with
fresh fixes applied.
This is unintentional regression. There are many tests, but none of them
tries combination of supported and unsupported together. I think dual
signing is rare in DNSSEC, but maybe not so much.
Additional pity is inability to test this with delv tool on system where
RSA1 is not disabled. It needs crypto library refusing try SHA1, which
for example is not implemented on Fedora the same way. Disabling by
configuration file is supported only in named, where it is not so simple
to debug.
This is even bigger problem on RHEL10, where DEFAULT:SHA1 is not
provided anymore. This is not trivially testable on rootcanary.org test.
So yes, our fixes will be delayed a bit. We want this fixed before
releasing our fixed builds.
Cheers,
Petr
On 31/10/2025 14:20, Bjørn Mork via bind-users wrote:
I created an empty test zone demonstrating the issue at test.mork.no
since I assume Steinar want to fix globalconnect.no ASAP.
my test is using this policy
dnssec-policy "buggy" {
keys {
ksk lifetime unlimited algorithm ecdsa256;
ksk lifetime unlimited algorithm rsasha1;
zsk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm rsasha1;
};
purge-keys 0; // never purge deleted keys
};
It looks like this on BIND 9.20.15 on Debian:
$ dig soa test.mork.no +do +multiline
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> soa test.mork.no +do +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33562
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e9034514aa89ecaf010000006904b6fc1d1d21c9dd0f3271 (good)
;; QUESTION SECTION:
;test.mork.no. IN SOA
;; ANSWER SECTION:
test.mork.no. 42706 IN SOA dilbert.mork.no. bjorn.mork.no. (
2025103104 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
3628800 ; expire (6 weeks)
43200 ; minimum (12 hours)
)
test.mork.no. 42706 IN RRSIG SOA 5 3 43200 (
20251114130703 20251031120703 41785
test.mork.no.
KCp2cNNGa1WUFamqy1ybKkxynvnuSvms3cWD8d9/TAq2
XfkUiJxz4ccbZoS0wK3aa0mA1YiKANKlscrjpRkJw/RP
Qkw7Ci3hiIHlDd50DM2rSh74U7GdABrNUJcGuaKpj8DT
vNCH4nkJbxHehYhDe3jICVR710t4EHtuUn42tuJpjxLf
sv8N9oaVcdhv5pHmbgTSIQ3ZdRvgM954M4QPYCGPxYLP
iUf5rT8jeYw9gpCye5zgpld5kcJHDx9Sgb78y2OXRd+J
T2blFVgqTioFUQopFzIzGilRA6u4fnJcsItRtOYMNhSm
6cGjBpmPrKIW/vzA4K50AqUfsOIPhIeezw== )
test.mork.no. 42706 IN RRSIG SOA 13 3 43200 (
20251114130703 20251031120703 38456
test.mork.no.
gzbDNH4wWWdDD8WJu7rTW37RwGp+EBkPbiOZYZsOLnnk
Xm3oILf9dKUjq0T8yEDVqbjV39ZXOknj3ZpgGN3ZnQ== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 31 14:17:48 CET 2025
;; MSG SIZE rcvd: 527
And like this on RHEL9 using default crypto policies:
$ dig soa test.mork.no +do +multiline @redacted
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> soa test.mork.no +do +multiline @ti0300o830-ipv4.ti.telenor.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35775
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: eb17c1af58c156fb010000006904b74f39c1351b58c1fde6 (good)
;; QUESTION SECTION:
;test.mork.no. IN SOA
;; Query time: 200 msec
;; SERVER: redacted#53(redacted) (UDP)
;; WHEN: Fri Oct 31 14:19:11 CET 2025
;; MSG SIZE rcvd: 69
Bjørn
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
