Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67028

unbound with SHA1 signatures: silent failure / ad flag missing but no diagnostics

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6
    • unbound
    • None
    • No
    • None
    • rhel-sst-cs-net-perf-services
    • ssg_core_services
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Make a DNSSEC request.

      What is the impact of this issue to you?

      Significant time wasted figuring out why DNSSEC would not validate.

      Please provide the package NVR for which the bug is seen:

      unbound-1.16.2-3.el9_3.5.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install unbound with default configuration.
      2. Attempt a DNSSEC validation against a domain with a SHA1 signature.

      Expected results

      A clear, unambiguous error message saying that validation failed due to an unsupported algorithm, SERVFAIL response, EDE response.

      Actual results

      Successful return of DNS request, with the tiny detail that the ad flag is missing.

      No error messages, no warnings, no EDE response, no indication what was wrong.

              pemensik@redhat.com Petr Mensik
              minfrin Graham Leggett
              Petr Mensik Petr Mensik
              rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe rhel-cs-infra-services-qe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: