Dear Paul Thank you, Paul. I understand.
2025年3月7日(金) 12:27 Paul Wouters <p...@nohats.ca>: > > > On Mar 6, 2025, at 21:10, FG NN <kazan.furin.shin...@gmail.com> wrote: > > > Dear Paul > > Thank you very much. > I do not want to enable SHA-1. > I just want to know why SERVFAIL is returned for Unbound on a system where > SHA-1 is supposed to be disabled. > > > Because unbound tries sha1 and gets an error from the crypto library. If > you want unbound to treat sha1 as unsigned, there is either a compile time > flag or runtime flag to do that. > > Paul > > > The dnssec-failed.org is BOGUS, but on RHEL 9 it should be Insecure. > > 2025年3月7日(金) 10:18 Paul Wouters <p...@nohats.ca>: > >> update-crypto-policies —set LEGECY >> systemctl unbound restart >> >> Paul >> >> Sent using a virtual keyboard on a phone >> >> On Mar 6, 2025, at 19:11, FG NN via Unbound-users < >> unbound-users@lists.nlnetlabs.nl> wrote: >> >> >> Hello. >> I am currently testing Unbound. >> My environment is >> ・RHEL 9.5 >> ・Unbound 1.22.0 >> I got the tarball from “ >> https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz” and built >> it with the option “--enable-systemd --with-libevent”. >> My unbound.conf is as follows >> --- >> server: >> interface: ens192 >> interface: 127.0.0.1 >> port: 53 >> msg-cache-slabs: 4 >> rrset-cache-slabs: 4 >> infra-cache-slabs: 4 >> key-cache-slabs: 4 >> >> so-reuseport: yes >> outgoing-num-tcp: 1000 >> incoming-num-tcp: 1000 >> msg-cache-size: 128m >> rrset-cache-size: 256m >> num-queries-per-thread: 2048 >> >> do-ip6: no >> do-daemonize: no >> access-control: 192.168.0.0/16 allow >> infra-cache-slabs: 4 >> key-cache-slabs: 4 >> >> so-reuseport: yes >> outgoing-num-tcp: 1000 >> incoming-num-tcp: 1000 >> msg-cache-size: 128m >> rrset-cache-size: 256m >> num-queries-per-thread: 2048 >> >> do-ip6: no >> do-daemonize: no >> >> access-control: 127.0.0.0/8 allow >> access-control: 192.168.0.0/16 allow >> >> private-address: 192.168.0.0/16 >> >> auto-trust-anchor-file: "/usr/local/etc/unbound/files/root.key" >> root-hints: "/usr/local/etc/unbound/files/named.root" >> >> remote-control: >> control-enable: yes >> control-interface: 127.0.0.1 >> --- >> >> When attempting to resolve the name “”dnssec-failed.org“”, which is >> signed with SHA-1, “SERVFAIL” is returned. >> --- >> # dig @127.0.0.1 dnssec-failed.org +dnssec >> >> ; <<>> DiG 9.16.23-RH <<>> @127.0.0.1 dnssec-failed.org +dnssec >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23429 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 1232 >> ;; QUESTION SECTION: >> ;dnssec-failed.org. IN A >> >> ;; Query time: 0 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Thu Mar 06 14:28:14 JST 2025 >> ;; MSG SIZE rcvd: 46 >> --- >> The result is the same after executing “update-crypto-policies --set >> DEFAULT:NO-SHA1”. >> (To begin with, SHA-1 is disabled in RHEL 9 by default.) >> Normally, I have heard that in this case, the unbound will reply >> “NOERROR” as “Insecure”. >> https://github.com/NLnetLabs/unbound/pull/660 >> Is there a problem with my configuration that is causing the SERVFAIL? >> I know that if I just want to receive “NOERROR” as “Insecure”, I can >> disable SHA-1 by adding the --disable-sha1 build option. >> This is just a question for personal interest, but I hope someone can >> answer it for me. >> >>
