Petr Menšík via bind-users <[email protected]> writes:
> Other distributions can emulate this by content
> /etc/crypto-policies/back-ends/bind.config has when this is
> active. That is:
>
> disable-algorithms "." {
> RSAMD5;
> RSASHA1;
> NSEC3RSASHA1;
> DSA;
> NSEC3DSA;
> ECCGOST;
> };
> disable-ds-digests "." {
> SHA-1;
> GOST;
> };
>
> Of course that can configured only in named.conf. named -d 3 would
> provide output similar to delv +vtrace into named log.
Thanks for the quick fix. That part looks good.
But I'm unable to reproduce the original issue with the current 9.20.15
based package in Debian. Probably doing something wrong...
I created an extremely stripped down named.conf for testing:
options {
disable-algorithms . {
RSASHA1;
};
listen-on-v6 { any; };
allow-recursion { localnets; };
};
and expected "test.mork.no" to fail with that. But it doesn't.
I still get validated replies instead of the expected SERVFAIL:
bjorn@miraculix:~$ dig a test.mork.no @::1 +do
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> a test.mork.no @::1 +do
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37606
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 67a660c703a1f12201000000690de7eccafae57910b5888d (good)
;; QUESTION SECTION:
;test.mork.no. IN A
;; AUTHORITY SECTION:
test.mork.no. 10800 IN SOA dilbert.mork.no. bjorn.mork.no.
2025103107 14400 3600 3628800 43200
test.mork.no. 10800 IN RRSIG SOA 5 3 43200 20251116150415
20251102140415 41785 test.mork.no.
pSMcLgbpRWjyuvmPyZhZRkQJ3ZOl1edM+4tr8wWzpEaSzKoPl+61BIhp
+84k9xQQY5kB/DykL7uTGh3Tc/V2KDNTPoAsFwSMT+jHkRuI+2UTk1zg
42yOxAIlOAV0Wqg0N9JzBYsd3gyONdvZ88DY1UvnDdUcFY7aVO3DWAIz
0z/PVK84f6/U+mWiuLJakHbsr9Ub0DgZeR+hXSak65cfjD/jnHBUNlyl
8xwG83kmJW0Ny9It0G9phTeYf5+aSVt9SO1+I9K6oNl/45wtADWL6ZuX
0cKOg70lNs7Z98OJDptkb5HV4N/3xTcuFKCaEmMpOlXf8t5WG8JlYwTf faxKbg==
test.mork.no. 10800 IN RRSIG SOA 13 3 43200 20251116150415
20251102140415 38456 test.mork.no.
393X9DjqIRsa4lrC8Prf9WHLxS6j6WedZo7aI0/koLXnWL8T+f73WL8u
DJRMDJctE7JKkrQrEp+Sg7gOuA0N5A==
test.mork.no. 10800 IN RRSIG NSEC 5 3 43200 20251115130415
20251101120415 41785 test.mork.no.
JxH+DveDAGmHBPIdJBaRFFepPd6nPejamlDeJSA/Gxd/j1O9hYM6uIdH
FCQkl6BbZb4Tl1jgGk7srKsrlgN+A8KooRDG/mj+gzDshVsawlNImnTC
iOxOa1p/NgsW9ruKGcmcaDpEVch/RSPoEzkePf/ILgV6u/bzCr51OofQ
34JtmPsmzew5jnZ4KgVtpnDCw3iUXd7YgNb8KnjBexBw0juV9SKd4tro
Ai+FLMJBgxe2WDpLKKnWbFYes3gBFNcvcA8vxvvLJyExisnoTOXH2ml5
SUr2ZY5Ym+tmNFl4HtgdvpV+OsAYI9Dfk00eiS3JPKIBV0lYZ8lNOmj3 VAGSOg==
test.mork.no. 10800 IN RRSIG NSEC 13 3 43200 20251115130415
20251101120415 38456 test.mork.no.
SeAXjRk7hg7+2a/dw0VI2yTQ0uxxuDkqzvlQi0xYXZwOfrZse+XAX3AE
vP//VaMuT6MOC5VP6oFPCR7v0vWGQQ==
test.mork.no. 10800 IN NSEC test.mork.no. NS SOA RRSIG NSEC
DNSKEY CDS CDNSKEY
;; Query time: 36 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Nov 07 13:37:00 CET 2025
;; MSG SIZE rcvd: 971
But the disable-alorithms *is* effective. If I also disable
ECDSAP256SHA256, then "ad" goes away, and I get and EDE with a resonable
explanation:
bjorn@miraculix:~$ dig a test.mork.no @::1 +do
; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> a test.mork.no @::1 +do
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16915
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: a9862a6b6971b5e401000000690de81b00a305b7af8a5e56 (good)
; EDE: 1 (Unsupported DNSKEY Algorithm): (RSASHA1 test.mork.no/SOA)
;; QUESTION SECTION:
;test.mork.no. IN A
;; AUTHORITY SECTION:
test.mork.no. 10800 IN SOA dilbert.mork.no. bjorn.mork.no.
2025103107 14400 3600 3628800 43200
test.mork.no. 10800 IN RRSIG SOA 5 3 43200 20251116150415
20251102140415 41785 test.mork.no.
pSMcLgbpRWjyuvmPyZhZRkQJ3ZOl1edM+4tr8wWzpEaSzKoPl+61BIhp
+84k9xQQY5kB/DykL7uTGh3Tc/V2KDNTPoAsFwSMT+jHkRuI+2UTk1zg
42yOxAIlOAV0Wqg0N9JzBYsd3gyONdvZ88DY1UvnDdUcFY7aVO3DWAIz
0z/PVK84f6/U+mWiuLJakHbsr9Ub0DgZeR+hXSak65cfjD/jnHBUNlyl
8xwG83kmJW0Ny9It0G9phTeYf5+aSVt9SO1+I9K6oNl/45wtADWL6ZuX
0cKOg70lNs7Z98OJDptkb5HV4N/3xTcuFKCaEmMpOlXf8t5WG8JlYwTf faxKbg==
test.mork.no. 10800 IN RRSIG SOA 13 3 43200 20251116150415
20251102140415 38456 test.mork.no.
393X9DjqIRsa4lrC8Prf9WHLxS6j6WedZo7aI0/koLXnWL8T+f73WL8u
DJRMDJctE7JKkrQrEp+Sg7gOuA0N5A==
test.mork.no. 10800 IN RRSIG NSEC 5 3 43200 20251115130415
20251101120415 41785 test.mork.no.
JxH+DveDAGmHBPIdJBaRFFepPd6nPejamlDeJSA/Gxd/j1O9hYM6uIdH
FCQkl6BbZb4Tl1jgGk7srKsrlgN+A8KooRDG/mj+gzDshVsawlNImnTC
iOxOa1p/NgsW9ruKGcmcaDpEVch/RSPoEzkePf/ILgV6u/bzCr51OofQ
34JtmPsmzew5jnZ4KgVtpnDCw3iUXd7YgNb8KnjBexBw0juV9SKd4tro
Ai+FLMJBgxe2WDpLKKnWbFYes3gBFNcvcA8vxvvLJyExisnoTOXH2ml5
SUr2ZY5Ym+tmNFl4HtgdvpV+OsAYI9Dfk00eiS3JPKIBV0lYZ8lNOmj3 VAGSOg==
test.mork.no. 10800 IN RRSIG NSEC 13 3 43200 20251115130415
20251101120415 38456 test.mork.no.
SeAXjRk7hg7+2a/dw0VI2yTQ0uxxuDkqzvlQi0xYXZwOfrZse+XAX3AE
vP//VaMuT6MOC5VP6oFPCR7v0vWGQQ==
test.mork.no. 10800 IN NSEC test.mork.no. NS SOA RRSIG NSEC
DNSKEY CDS CDNSKEY
;; Query time: 124 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Fri Nov 07 13:37:47 CET 2025
;; MSG SIZE rcvd: 1001
I noticed that the Debian BIND starts up with this regardless of the
disable-algorithms content:
07-Nov-2025 13:37:43.610 DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256
RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
07-Nov-2025 13:37:43.610 DS algorithms: SHA-1 SHA-256 SHA-384
07-Nov-2025 13:37:43.610 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224
HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
I assume that's because the algorithms are disabled later, in a more
specific zone scope (even if that happens to be "."). But the end
result is not the same I observed on RHEL9.
Bjørn
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
