Stale date bump

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

This is still borked:

1. rpm -q systemd
   systemd-252-5.el9.x86_64
2. grep ^DNSSEC= /etc/systemd/resolved.conf
   DNSSEC=yes
3. resolvectl query --cache=no ietf.org
   ietf.org: resolve call failed: DNSSEC validation failed: failed-auxiliary

1. update-crypto-policies --set DEFAULT:SHA1
   Setting system policy to DEFAULT:SHA1
   Note: System-wide crypto policies are applied on application start-up.
   It is recommended to restart the system for the change of policies
   to fully take place.
2. systemctl restart systemd-resolved
3. resolvectl query --cache=no ietf.org
   ietf.org: 2001:559:c4c7::100 – link: eth0
   50.223.129.194 – link: eth0

– Information acquired via protocol DNS in 6.2ms.
– Data is authenticated: yes; Data was acquired via local or encrypted transport: no
– Data from: network

I think it should result in insecure response for SHA-1 algorithm on policies, where it would not pass verification. It should not make SHA-1 signed zones completely unavailable, but just considered like unsupported algorithm. Should not result in SERVFAIL, but just without AD flag in dns reply. That is the best way we can fix it.

I am not sure how much resolved is supported in RHEL9, I just filled the bug to notify you there is some issue, which might need fix eventually. Adding also link to JIRA ticket, which provides a list of TLDs affected.

(In reply to Petr Menšík from comment #0)
> Description of problem:
> Crypto policies in RHEL9 will block SHA-1 signatures by default. However RFC
> 8624 [1] requires SHA-1 validation as mandatory.

IOW, we have to support it but we can't... So what exactly is expected from us here?