Answers for www.dnssec-failed.org with dnssec-validation auto;
stuart at registry.godaddy
stuart at registry.godaddy
Wed Apr 17 23:14:37 UTC 2024
The crypto policy stuff ultimately creates and maintains files in /etc/crypto-policy/backends, which has a list of acceptable or not-acceptable crypto settings.
Whilst a "bind.config" is created, you aren't including it in your config (this is fine), which suggests that the issue is with some of openssl configurations (which will be system wide anyway).
You can use the update-crypto-policies to update only the openssl configuration to allow sha1, or you could manually recreate those files (instead of the usual symlinks) and edit them individually as you please.
Stuart
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of John Thurston <john.thurston at alaska.gov>
Date: Thursday, 18 April 2024 at 06:39
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: Answers for www.dnssec-failed.org with dnssec-validation auto;
Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock had fallen on my head.
I know I can re-enable SHA1 for everything on the host with:
update-crypto-policies --set DEFAULT:SHA1
But that's a fairly broad stroke, when only 'named' needs to accept such signatures. Is there a way to narrow it down?
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
mailto:John.Thurston at alaska.gov
Department of Administration
State of Alaska
On 4/17/2024 9:21 AM, Ondřej Surý wrote:
Let me guess - you are running on RHEL (without SHA-1 support) and dnssec-failed.org is signed with RSA/SHA-1…
More information about the bind-users
mailing list