What were you trying to do that didn't work?

On FIPS machine with FIPS crypto policy and when /etc/named.conf does not contain include "/etc/crypto-policies/back-ends/bind.config"; from the FIPS policy, named will fail zones signed with algorith 15 (ED25519) and 16 (ED448).

What is the impact of this issue to you?

if the customer uses own configuration file which lacks default crypto policy include or in delv command line command, it fails unnecessary.

Please provide the package NVR for which the bug is seen:

bind-9.18.33-10.el10_1.2.x86_64

How reproducible is this bug?:

reliable

Steps to reproduce

1. swich machine into FIPS mode
2. start named.service with dnssec-verify enabled.
3. comment out line with include "/etc/crypto-policies/back-ends/bind.config";
4. dig @localhost secure.d4a15n3.rootcanary.net.

Expected results

response lacks AD bit, but does not end with SERVFAIL status. Should get status: NOERROR and only ad bit missing from flags.

Actual results

 
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23437
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

There exist few top level domains signed with algorithm 15.

This was discovered when checking Sanity/bind-DNSSEC-algos test on FIPS machine.