Thank you for the testing zone!
Thank you for creating dedicated testing domain for this, it helped me
to focus on finding the problem cause.
Change merged:
9.18: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11211
9.20: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11210
Fixes are the same for those versions.
There are fixes prepared, our RHEL and CentOS will contain them already.
Extra note: This can be tested even on Fedora with DEFAULT:NO-SHA1
crypto-policy chosen. That is never default, but can be chosen manually.
Other distributions can emulate this by content
/etc/crypto-policies/back-ends/bind.config has when this is active. That is:
disable-algorithms "." {
RSAMD5;
RSASHA1;
NSEC3RSASHA1;
DSA;
NSEC3DSA;
ECCGOST;
};
disable-ds-digests "." {
SHA-1;
GOST;
};
Of course that can configured only in named.conf. named -d 3 would
provide output similar to delv +vtrace into named log.
On 31/10/2025 14:20, Bjørn Mork via bind-users wrote:
I created an empty test zone demonstrating the issue at test.mork.no
since I assume Steinar want to fix globalconnect.no ASAP.
my test is using this policy
dnssec-policy "buggy" {
keys {
ksk lifetime unlimited algorithm ecdsa256;
ksk lifetime unlimited algorithm rsasha1;
zsk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm rsasha1;
};
purge-keys 0; // never purge deleted keys
};
It looks like this on BIND 9.20.15 on Debian:
$ dig soa test.mork.no +do +multiline
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> soa test.mork.no +do +multiline
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33562
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e9034514aa89ecaf010000006904b6fc1d1d21c9dd0f3271 (good)
;; QUESTION SECTION:
;test.mork.no. IN SOA
;; ANSWER SECTION:
test.mork.no. 42706 IN SOA dilbert.mork.no. bjorn.mork.no. (
2025103104 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
3628800 ; expire (6 weeks)
43200 ; minimum (12 hours)
)
test.mork.no. 42706 IN RRSIG SOA 5 3 43200 (
20251114130703 20251031120703 41785
test.mork.no.
KCp2cNNGa1WUFamqy1ybKkxynvnuSvms3cWD8d9/TAq2
XfkUiJxz4ccbZoS0wK3aa0mA1YiKANKlscrjpRkJw/RP
Qkw7Ci3hiIHlDd50DM2rSh74U7GdABrNUJcGuaKpj8DT
vNCH4nkJbxHehYhDe3jICVR710t4EHtuUn42tuJpjxLf
sv8N9oaVcdhv5pHmbgTSIQ3ZdRvgM954M4QPYCGPxYLP
iUf5rT8jeYw9gpCye5zgpld5kcJHDx9Sgb78y2OXRd+J
T2blFVgqTioFUQopFzIzGilRA6u4fnJcsItRtOYMNhSm
6cGjBpmPrKIW/vzA4K50AqUfsOIPhIeezw== )
test.mork.no. 42706 IN RRSIG SOA 13 3 43200 (
20251114130703 20251031120703 38456
test.mork.no.
gzbDNH4wWWdDD8WJu7rTW37RwGp+EBkPbiOZYZsOLnnk
Xm3oILf9dKUjq0T8yEDVqbjV39ZXOknj3ZpgGN3ZnQ== )
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 31 14:17:48 CET 2025
;; MSG SIZE rcvd: 527
And like this on RHEL9 using default crypto policies:
$ dig soa test.mork.no +do +multiline @redacted
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> soa test.mork.no +do +multiline @ti0300o830-ipv4.ti.telenor.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35775
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: eb17c1af58c156fb010000006904b74f39c1351b58c1fde6 (good)
;; QUESTION SECTION:
;test.mork.no. IN SOA
;; Query time: 200 msec
;; SERVER: redacted#53(redacted) (UDP)
;; WHEN: Fri Oct 31 14:19:11 CET 2025
;; MSG SIZE rcvd: 69
Bjørn
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
