Description of problem:
Crypto policies in RHEL9 will block SHA-1 signatures by default. However RFC 8624 [1] requires SHA-1 validation as mandatory. Because crypto policy is mandatory, it will affect any DNSSEC validating software using openssl or gnutls.

Version-Release number of selected component (if applicable):
openssl-libs-3.0.1-21.el9.x86_64
crypto-policies-20220223-1.git5203b41.el9_0.1.noarch
gnutls-3.7.3-9.el9.x86_64

How reproducible:
reliable

Steps to Reproduce:
1. set DNSSEC=yes in /etc/systemd/resolved.conf
2. systemctl restart systemd-resolved
3. resolvectl query ietf.org

Actual results:
ietf.org: resolve call failed: DNSSEC validation failed: failed-auxiliary

Expected results:
ietf.org: 2001:1900:3001:11::2c – link: eth0
4.31.198.44 – link: eth0

– Information acquired via protocol DNS in 1.0828s.
– Data is authenticated: yes; Data was acquired via local or encrypted transport: no
– Data from: network

Additional info:
command "update-crypto-policies --set DEFAULT:SHA1" will switch to crypto policy, which would allow previous behaviour and success of both signature verification and creation.

1. https://datatracker.ietf.org/doc/html/rfc8624#section-3.1