Bug 2071981
Summary: | NSEC3DSA should be disabled as DSA is in bind.config | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Petr Menšík <pemensik> |
Component: | crypto-policies | Assignee: | Alexander Sosedkin <asosedki> |
Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
Severity: | low | Docs Contact: | Jan Fiala <jafiala> |
Priority: | low | ||
Version: | 8.6 | CC: | jafiala, omoris |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | crypto-policies-20221215-1.gitece0092.el8 | Doc Type: | Bug Fix |
Doc Text: |
.`crypto-policies` now disable `NSEC3DSA` for BIND
Previously, the system-wide cryptographic policies did not control the `NSEC3DSA` algorithm in the BIND configuration. Consequently, `NSEC3DSA`, which does not meet current security requirements, was not disabled on DNS servers. With this update, all cryptographic policies disable `NSEC3DSA` in the BIND configuration by default.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-16 09:11:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Menšík
2022-04-05 10:57:07 UTC
Related unbound bug #2071968, which should ensure similar thing in unbound. It is not necessary for bind 9.16.x, because it disables those algorithms directly by code. But that code-policy snippet makes it more obvious even on RHEL9 and Fedora. It would not be wrong, if it contained this on all versions: disable-algorithms "." { RSAMD5; DSA; NSEC3DSA; }; disable-ds-digests "." { GOST; }; Might have mentioned target file path: /etc/crypto-policies/back-ends/bind.config Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3025 |