Re: Unsupported DNSSEC algorithms should not lead to SERVFAIL.

Thu, 06 Nov 2025 10:59:07 -0800 

Ondřej, do you have an ETA for (9.18) releases which contain the fixes?


On 11/4/2025 4:27 AM, Ondřej Surý wrote:

Agreed.

I would suggest doing a full bug report into an issue next time and including 
all the relevant details instead of piggybacking on an internal issue.

There is a subtle difference between #5570 and the issue reported below, and 
thus these are two distinct bugs.

Ondrej
--
Ondřej Surý (He/Him)
[email protected]

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 4. 11. 2025, at 7:21, Petr Menšík via bind-users <[email protected]> 
wrote:

Unfortunately this is a rare moment, when Ondřej is not correct. This affects 
all versions, which included fix for CVE-2025-8677. Yes, I verified also our 
builds are affected. Fedora 9.18.41 contains the same problem, but OpenSSL 
library does not prevent usage of 5 and 7 algorithms there. It is not visible.

But in any case, similar reports should contain delv +vtrace output from your 
side. Especially because it should be able to reproduce it on any system, which 
disables RSASHA1 and RSASHA1NSEC3 algorithms. But delv tool shows wrong 
behaviour only on CentOS 9 or CentOS 10 derivatives. On other systems it seems 
unaffected on the first glance.

Development version contains code modifications, which has similar problem in a 
bit different place and with different fix needed. But unlike original 
assumption it affects also stable versions.

Cheers,
Petr

On 30/10/2025 22:39, Ondřej Surý wrote:

No, you have not been caught by this. The issue you are referring to affects 
only a development
version of BIND 9 (9.21), so whatever you are experiencing is not related to 
this.

You need to provide evidence (logs, reproducer) about what is going on, so we 
can help you
diagnose the issue you are experiencing.

Ondrej
--
Ondřej Surý (He/Him)
[email protected]

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.




--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.

Reply via email to