paypal.com DNSKEY no valid signature found
Mark Andrews
marka at isc.org
Fri Mar 18 22:13:52 UTC 2022
> On 19 Mar 2022, at 01:37, Anand Buddhdev <anandb at ripe.net> wrote:
>
> On 18/03/2022 15:25, lejeczek via bind-users wrote:
>
> Hi L,
>
>> how to troubleshoot that?
>> ...
>> 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure)
>> 18-Mar-2022 14:17:41.725 info: error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959:
>> 18-Mar-2022 14:17:41.725 info: validating paypal.com/DNSKEY: no valid signature found
>> ...
>> I'd imagine must some up-the-chain servers doing something there - my local 'bind' does not point/use any specific forwarders.
>
> The zone is correctly signed, but with RSASHA1, which is not recommended. You may be on a Linux distro whose openssl disables old algorithms like RSASHA1, and so BIND will not be able to validate this zone.
If so disable the given algorithms and digests in named.conf so that named can treat the zones as insecure. I will note that with FIPS mode you can still verify zones signed with RSASHA1 but not sign with RSASHA1. I’m also thinking what is the point of allowing EVP_DigestInit_ex to succeed if you can’t sign or verify.
> Regards,
> Anand
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list