Bug 2071981
| Summary: | NSEC3DSA should be disabled as DSA is in bind.config | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Petr Menšík <pemensik> |
| Component: | crypto-policies | Assignee: | Alexander Sosedkin <asosedki> |
| Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
| Severity: | low | Docs Contact: | Jan Fiala <jafiala> |
| Priority: | low | ||
| Version: | 8.6 | CC: | jafiala, omoris |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | crypto-policies-20221215-1.gitece0092.el8 | Doc Type: | Bug Fix |
| Doc Text: |
.`crypto-policies` now disable `NSEC3DSA` for BIND
Previously, the system-wide cryptographic policies did not control the `NSEC3DSA` algorithm in the BIND configuration. Consequently, `NSEC3DSA`, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable `NSEC3DSA` in the BIND configuration by default.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:11:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Related unbound bug #2071968, which should ensure similar thing in unbound. It is not necessary for bind 9.16.x, because it disables those algorithms directly by code. But that code-policy snippet makes it more obvious even on RHEL9 and Fedora. It would not be wrong, if it contained this on all versions:
disable-algorithms "." {
RSAMD5;
DSA;
NSEC3DSA;
};
disable-ds-digests "." {
GOST;
};
Might have mentioned target file path: /etc/crypto-policies/back-ends/bind.config Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3025 |
Description of problem: RFC 8624 [1] mandates DSA to be not used for validation. More recent versions disable it in the code, for example RHEL9. But it would not be wrong to add also NSEC3 variant of DSA. Version-Release number of selected component (if applicable): crypto-policies-20211116-1.gitae470d6.el8.noarch bind-9.11.36-3.el8.x86_64 How reproducible: reliable Steps to Reproduce: 1. systemctl restart named 2. (add forwarders { 8.8.8.8; }; to options {} in /etc/named.conf if needed) 3. dig @localhost secure.d2a6n3.rootcanary.net. | grep flags: 4. dig @localhost secure.d2a3n1.rootcanary.net. | grep flags: Actual results: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0, flags: do; udp: 1232 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0, flags: do; udp: 1232 Expected results: ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0, flags: do; udp: 1232 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ; EDNS: version: 0, flags: do; udp: 1232 Additional info: AD flag has to be removed. 1. https://datatracker.ietf.org/doc/html/rfc8624#section-3.1