Thanks! I now remember, I have seen Petr discussing something similar on the Bind Users mailing list.
Josef On Thu, Sep 8, 2022 at 9:20 AM Carsten Strotmann <cars...@strotmann.de> wrote: > > Hello Josef, > > On 8 Sep 2022, at 8:42, Josef Vybíhal via Unbound-users wrote: > > > Hello everyone, > > maybe this will be obvious to some, but I have been scratching my head > > about this since yesterday. > > > > In CentOS Stream 9, when unbound installed from Appstream, I see that > > unbound returns insecure replies to clients. Which is not what I want, > > nor what I am used to. I am thinking this might be a packaging bug, > > compile option or config setting, but I can not figure out which and > > where. I am testing with untouched rpm package config. > > > > > > CentOS Stream 9 example: > > [root@18 ~]# dig sigfail.verteiltesysteme.net @127.1 +short > > 134.91.78.139 > > [root@18 ~]# unbound-host -C /etc/unbound/unbound.conf -v > [...] > > sigok.verteiltesysteme.net has address 134.91.78.139 (insecure) > > sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 > > (insecure) > > sigok.verteiltesysteme.net has no mail handler record (insecure) > > [root@18 ~]# unbound -V > > Version 1.16.2 > > Red Hat removed (almost all) SHA1 support from RHEL 9 (including CentOS), > which makes DNSSEC zones signed with RSASHA1 treated as insecure: > > <https://access.redhat.com/solutions/6955455> > > This affects the Red Hat build versions of Unbound and BIND 9 (as a resolver). > > SHA1 for DNSSEC use is on its path to be deprecated > <https://www.ietf.org/archive/id/draft-hardaker-dnsop-must-not-sha1-00.html>, > but there are still zones that have not migrated to stronger DNSSEC > algorithms. > > See the discussion on this mailing list for some background > <https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-April/007709.html> > > Greetings > > Carsten
