Dear Paul Thank you very much. I do not want to enable SHA-1. I just want to know why SERVFAIL is returned for Unbound on a system where SHA-1 is supposed to be disabled. The dnssec-failed.org is BOGUS, but on RHEL 9 it should be Insecure.
2025年3月7日(金) 10:18 Paul Wouters <p...@nohats.ca>: > update-crypto-policies —set LEGECY > systemctl unbound restart > > Paul > > Sent using a virtual keyboard on a phone > > On Mar 6, 2025, at 19:11, FG NN via Unbound-users < > unbound-users@lists.nlnetlabs.nl> wrote: > > > Hello. > I am currently testing Unbound. > My environment is > ・RHEL 9.5 > ・Unbound 1.22.0 > I got the tarball from “ > https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz” and built > it with the option “--enable-systemd --with-libevent”. > My unbound.conf is as follows > --- > server: > interface: ens192 > interface: 127.0.0.1 > port: 53 > msg-cache-slabs: 4 > rrset-cache-slabs: 4 > infra-cache-slabs: 4 > key-cache-slabs: 4 > > so-reuseport: yes > outgoing-num-tcp: 1000 > incoming-num-tcp: 1000 > msg-cache-size: 128m > rrset-cache-size: 256m > num-queries-per-thread: 2048 > > do-ip6: no > do-daemonize: no > access-control: 192.168.0.0/16 allow > infra-cache-slabs: 4 > key-cache-slabs: 4 > > so-reuseport: yes > outgoing-num-tcp: 1000 > incoming-num-tcp: 1000 > msg-cache-size: 128m > rrset-cache-size: 256m > num-queries-per-thread: 2048 > > do-ip6: no > do-daemonize: no > > access-control: 127.0.0.0/8 allow > access-control: 192.168.0.0/16 allow > > private-address: 192.168.0.0/16 > > auto-trust-anchor-file: "/usr/local/etc/unbound/files/root.key" > root-hints: "/usr/local/etc/unbound/files/named.root" > > remote-control: > control-enable: yes > control-interface: 127.0.0.1 > --- > > When attempting to resolve the name “”dnssec-failed.org“”, which is > signed with SHA-1, “SERVFAIL” is returned. > --- > # dig @127.0.0.1 dnssec-failed.org +dnssec > > ; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 dnssec-failed.org +dnssec > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23429 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;dnssec-failed.org. IN A > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Thu Mar 06 14:28:14 JST 2025 > ;; MSG SIZE rcvd: 46 > --- > The result is the same after executing “update-crypto-policies --set > DEFAULT:NO-SHA1”. > (To begin with, SHA-1 is disabled in RHEL 9 by default.) > Normally, I have heard that in this case, the unbound will reply “NOERROR” > as “Insecure”. > https://github.com/NLnetLabs/unbound/pull/660 > Is there a problem with my configuration that is causing the SERVFAIL? > I know that if I just want to receive “NOERROR” as “Insecure”, I can > disable SHA-1 by adding the --disable-sha1 build option. > This is just a question for personal interest, but I hope someone can > answer it for me. > >
