-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.6.0
-
None
-
Low
-
rhel-sst-cs-net-perf-services
-
ssg_core_services
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
DSA algorithm is specified in RFC 8624 [1] as MUST NOT in both signing and validation. But our version still considers it secure and validates that algorithm. Unlike SHA-1 in RHEL9 (Bug #2070495), this algorithm should not be used in DNSSEC at all.
Version-Release number of selected component (if applicable):
unbound-1.7.3-17.el8.x86_64
How reproducible:
always
Steps to Reproduce:
1. unbound-host -rdD secure.d2a3n1.rootcanary.net. 2>&1 | grep 'validation success secure.d2a3n1.rootcanary.net.'
2.
3.
Actual results:
[1649153992] libunbound[10019:0] info: validation success secure.d2a3n1.rootcanary.net. A IN
[1649153992] libunbound[10019:0] info: validation success secure.d2a3n1.rootcanary.net. AAAA IN
[1649153992] libunbound[10019:0] info: validation success secure.d2a3n1.rootcanary.net. MX IN
Expected results:
(empty output, return code 1)
Additional info:
It is disabled in RHEL9. ./configure --disable-dsa should be sufficient on build time. Changed by upstream commit [2].
Test /CoreOS/unbound/Sanity/unbound-DNSSEC-algos can be used to check secure status.
1. https://datatracker.ietf.org/doc/html/rfc8624#section-3.1
2. https://github.com/NLnetLabs/unbound/commit/68ff1730ac9cb7f339d6618b87977f69dc02d974
- external trackers
