Bug 2413104

Summary: Regression with disabled algorithms after CVE-2025-8677 fixes
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: bind9-nextAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: anon.amish, dns-sig, extras-qa, mruprich, pemensik, pspacek, zdohnal
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: bind9-next-9.21.14-2.fc44 bind9-next-9.21.14-2.fc42 bind9-next-9.21.14-2.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: 2413070 Environment:
Last Closed: 2025-11-06 16:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2405830, 2413070    
Bug Blocks:    

Description Petr Menšík 2025-11-06 14:54:21 UTC 
+++ This bug was initially created as a clone of Bug #2413070 +++

Shortly after release of CVE-2025-8677 users started reporting problems on RHEL machines. DEFAULT crypto policy does not permit verification of SHA1 algorithm since RHEL9.

Threads:
https://lists.isc.org/pipermail/bind-users/2025-October/110228.html
https://lists.isc.org/pipermail/bind-users/2025-October/110223.html

Turned out soon it happens only on dual signed zones, where one of algorithms is 5 or 7.

On Fedora it is less important, because DEFAULT crypto policy does not prevent SHA1 signatures verification. But in some configurations it would be problem as well.

Reproducible: Always

Steps to Reproduce:
1. Have a zone signed with disabled algorithm (5 or 7 for example) together with signature of supported algorithm (8+)
2. Have dnssec-validation auto or yes
3.
Actual Results:
Resolution started getting SERVFAIL, although there is one valid signature at the record.

Expected Results:
Record is marked with AD bit and unsupported algorithm signature will be just skipped.

Additional Information:
This might happen when RSASHA1 and RSASHA1NSEC3 algorithms are disabled. That happens in Fedora with DEFAULT:NO-SHA1 crypto policy or by using disabled-algorithm in named.conf.

Reported upstream: https://gitlab.isc.org/isc-projects/bind9/-/issues/5622

The first difference when trying it with delv +vtrace starts with:

--- Additional comment from Petr Menšík on 2025-11-06 12:24:02 CET ---

https://gitlab.isc.org/isc-projects/bind9/-/issues/5622

--- Additional comment from Fedora Update System on 2025-11-06 14:05:02 CET ---

FEDORA-2025-06c5a74197 (bind-9.18.41-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-06c5a74197

--- Additional comment from Fedora Update System on 2025-11-06 14:06:10 CET ---

FEDORA-2025-3e245eae46 (bind-9.18.41-2.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e245eae46

--- Additional comment from Fedora Update System on 2025-11-06 15:29:27 CET ---

FEDORA-2025-b1643093e5 (bind-9.18.41-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1643093e5
Comment 1 Fedora Update System 2025-11-06 16:24:24 UTC 
FEDORA-2025-4faf6b7b75 (bind9-next-9.21.14-2.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-4faf6b7b75
Comment 2 Fedora Update System 2025-11-06 16:27:42 UTC 
FEDORA-2025-4faf6b7b75 (bind9-next-9.21.14-2.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Fedora Update System 2025-11-07 11:10:38 UTC 
FEDORA-2025-b68f7f541d (bind9-next-9.21.14-2.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b68f7f541d
Comment 4 Fedora Update System 2025-11-07 11:10:59 UTC 
FEDORA-2025-d9f9394ecd (bind9-next-9.21.14-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-d9f9394ecd
Comment 5 Fedora Update System 2025-11-08 02:03:17 UTC 
FEDORA-2025-b68f7f541d has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b68f7f541d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b68f7f541d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-11-08 02:19:34 UTC 
FEDORA-2025-d9f9394ecd has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d9f9394ecd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d9f9394ecd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-11-16 00:55:02 UTC 
FEDORA-2025-d9f9394ecd (bind9-next-9.21.14-2.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2025-11-16 01:20:25 UTC 
FEDORA-2025-b68f7f541d (bind9-next-9.21.14-2.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.