Bug 2413070

Summary: Regression with disabled algorithms after CVE-2025-8677 fixes
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: bindAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: anon.amish, dns-sig, mruprich, pemensik, zdohnal
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: bind-9.18.41-2.fc43 bind-9.18.41-2.fc41 bind-9.18.41-2.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of:
: 2413104 (view as bug list) Environment:
Last Closed: 2025-11-09 03:07:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2405830    
Bug Blocks: 2413104    

Description Petr Menšík 2025-11-06 11:15:38 UTC 
Shortly after release of CVE-2025-8677 users started reporting problems on RHEL machines. DEFAULT crypto policy does not permit verification of SHA1 algorithm since RHEL9.

Threads:
https://lists.isc.org/pipermail/bind-users/2025-October/110228.html
https://lists.isc.org/pipermail/bind-users/2025-October/110223.html

Turned out soon it happens only on dual signed zones, where one of algorithms is 5 or 7.

On Fedora it is less important, because DEFAULT crypto policy does not prevent SHA1 signatures verification. But in some configurations it would be problem as well.

Reproducible: Always

Steps to Reproduce:
1. Have a zone signed with disabled algorithm (5 or 7 for example) together with signature of supported algorithm (8+)
2. Have dnssec-validation auto or yes
3.
Actual Results:
Resolution started getting SERVFAIL, although there is one valid signature at the record.

Expected Results:
Record is marked with AD bit and unsupported algorithm signature will be just skipped.

Additional Information:
This might happen when RSASHA1 and RSASHA1NSEC3 algorithms are disabled. That happens in Fedora with DEFAULT:NO-SHA1 crypto policy or by using disabled-algorithm in named.conf.

Reported upstream: https://gitlab.isc.org/isc-projects/bind9/-/issues/5622

The first difference when trying it with delv +vtrace starts with:
Comment 1 Petr Menšík 2025-11-06 11:24:02 UTC 
https://gitlab.isc.org/isc-projects/bind9/-/issues/5622
Comment 2 Fedora Update System 2025-11-06 13:05:02 UTC 
FEDORA-2025-06c5a74197 (bind-9.18.41-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-06c5a74197
Comment 3 Fedora Update System 2025-11-06 13:06:10 UTC 
FEDORA-2025-3e245eae46 (bind-9.18.41-2.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e245eae46
Comment 4 Fedora Update System 2025-11-06 14:29:27 UTC 
FEDORA-2025-b1643093e5 (bind-9.18.41-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1643093e5
Comment 5 Fedora Update System 2025-11-07 02:13:25 UTC 
FEDORA-2025-3e245eae46 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3e245eae46`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e245eae46

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-11-07 03:00:38 UTC 
FEDORA-2025-b1643093e5 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b1643093e5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1643093e5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-11-07 05:07:03 UTC 
FEDORA-2025-06c5a74197 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-06c5a74197`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-06c5a74197

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-11-09 03:07:12 UTC 
FEDORA-2025-3e245eae46 (bind-9.18.41-2.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2025-11-15 01:41:35 UTC 
FEDORA-2025-06c5a74197 (bind-9.18.41-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2025-11-22 01:11:45 UTC 
FEDORA-2025-b1643093e5 (bind-9.18.41-2.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.