-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
rhel-9.0.0
-
Yes
-
Important
-
rhel-net-perf
-
ssg_core_services
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
-
57,005
Description of problem:
Many DNSSEC ZSK keys used on public zones use short keys. Those short keys verifications works on RHEL 9.0 at the moment, but is going to be fixed by bug #2077884.
Version-Release number of selected component (if applicable):
bind-9.16.23-1.el9.x86_64
How reproducible:
would be reliable
Steps to Reproduce:
1. kdig +multi -t dnskey 100.in-addr.arpa | grep '1[0-9]{3}b'
2. fips-mode-setup --enable && reboot
3. systemctl restart named
Actual results:
; <<>> DiG 9.16.23-RH <<>> @localhost 100.in-addr.arpa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: SERVFAIL, id: 51523
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
Expected results:
dig @localhost 100.in-addr.arpa
; <<>> DiG 9.16.23-RH <<>> @localhost 100.in-addr.arpa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 51523
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ccbd17067595b02d010000006262bec84c89c72cc8cf6a3d (good)
;; QUESTION SECTION:
;100.in-addr.arpa. IN A
;; AUTHORITY SECTION:
100.in-addr.arpa. 10765 IN SOA z.arin.net. dns-ops.arin.net. 2017033603 1800 900 691200 10800
;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Apr 22 10:42:16 EDT 2022
;; MSG SIZE rcvd: 127
Additional info:
