Answers for www.dnssec-failed.org with dnssec-validation auto;

Mark Andrews marka at isc.org
Thu Apr 18 02:31:13 UTC 2024 

Named will tell you which DNSSEC algorithms it supports.  Depending upon the OS and its configuration this may differ.

DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448

vs

DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448

% named -V
BIND 9.19.23-dev (Development Release) <id:ddceb53>
running on Darwin arm64 22.6.0 Darwin Kernel Version 22.6.0: Mon Feb 19 19:43:41 PST 2024; root:xnu-8796.141.3.704.6~1/RELEASE_ARM64_T8103
built by make with  '--enable-developer' '--prefix=/usr/local' '--sysconfdir=/etc' '--localstatedir=/var' '--with-gssapi=krb5-config' 'CFLAGS=-g -mmacosx-version-min=13.1' 'PKG_CONFIG_PATH=/Users/marka/userspace-rcu/lib/pkgconfig:' '--with-cachedb=rbt'
compiled by CLANG Apple LLVM 15.0.0 (clang-1500.1.0.2.5)
compiled with OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
linked to OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with liburcu version: 0.15.0-pre
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.59.0
linked to libnghttp2 version: 1.61.0
compiled with libxml2 version: 2.11.6
linked to libxml2 version: 21206
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
linked to maxminddb version: 1.8.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  geoip-directory:      /opt/local/share/GeoIP
% 

> On 18 Apr 2024, at 11:44, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> 
> Would this be true for FreeBSD as well?  I also have a bind 9.18.24 instance running on freeBSD 
> and it seems to be ok. 
> 
> Bob
> 
> > The crypto policy stuff ultimately creates and maintains files in /etc/crypto-policy/backends, which has a list of acceptable or not-acceptable crypto settings.
> 
> > Whilst a "bind.config" is created, you aren't including it in your config (this is fine), which suggests that the issue is with some of openssl configurations (which will be system wide anyway).
> 
> > You can use the update-crypto-policies to update only the openssl configuration to allow sha1, or you could manually recreate those files (instead of the usual symlinks) and edit them individually as you please.
> 
> > Stuart
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list