Answers for www.dnssec-failed.org with dnssec-validation auto;
Mark Andrews
marka at isc.org
Thu Apr 18 02:31:13 UTC 2024
Named will tell you which DNSSEC algorithms it supports. Depending upon the OS and its configuration this may differ.
DNSSEC algorithms: RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
vs
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
% named -V
BIND 9.19.23-dev (Development Release) <id:ddceb53>
running on Darwin arm64 22.6.0 Darwin Kernel Version 22.6.0: Mon Feb 19 19:43:41 PST 2024; root:xnu-8796.141.3.704.6~1/RELEASE_ARM64_T8103
built by make with '--enable-developer' '--prefix=/usr/local' '--sysconfdir=/etc' '--localstatedir=/var' '--with-gssapi=krb5-config' 'CFLAGS=-g -mmacosx-version-min=13.1' 'PKG_CONFIG_PATH=/Users/marka/userspace-rcu/lib/pkgconfig:' '--with-cachedb=rbt'
compiled by CLANG Apple LLVM 15.0.0 (clang-1500.1.0.2.5)
compiled with OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
linked to OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with liburcu version: 0.15.0-pre
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.59.0
linked to libnghttp2 version: 1.61.0
compiled with libxml2 version: 2.11.6
linked to libxml2 version: 21206
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
linked to maxminddb version: 1.8.0
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
geoip-directory: /opt/local/share/GeoIP
%
> On 18 Apr 2024, at 11:44, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>
> Would this be true for FreeBSD as well? I also have a bind 9.18.24 instance running on freeBSD
> and it seems to be ok.
>
> Bob
>
> > The crypto policy stuff ultimately creates and maintains files in /etc/crypto-policy/backends, which has a list of acceptable or not-acceptable crypto settings.
>
> > Whilst a "bind.config" is created, you aren't including it in your config (this is fine), which suggests that the issue is with some of openssl configurations (which will be system wide anyway).
>
> > You can use the update-crypto-policies to update only the openssl configuration to allow sha1, or you could manually recreate those files (instead of the usual symlinks) and edit them individually as you please.
>
> > Stuart
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list