Description of problem: Crypto policies in RHEL9 will block SHA-1 signatures by default. However RFC 8624 [1] requires SHA-1 validation as mandatory. Because crypto policy is mandatory, it will affect any DNSSEC validating software using openssl or gnutls. Version-Release number of selected component (if applicable): openssl-libs-3.0.1-21.el9.x86_64 crypto-policies-20220223-1.git5203b41.el9_0.1.noarch gnutls-3.7.3-9.el9.x86_64 How reproducible: reliable Steps to Reproduce: 1. delv int Actual results: # delv int ;; EVP_VerifyFinal failed (verify failure) ;; error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959: ;; EVP_VerifyFinal failed (verify failure) ;; error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:959: ;; validating int/DNSKEY: no valid signature found ;; insecurity proof failed resolving 'int/DNSKEY/IN': 10.2.32.1#53 ;; validating rtma1k8jfek31ikuajq7rie9dufhe33b.int/NSEC3: bad cache hit (int/DNSKEY) ;; broken trust chain resolving 'int/A/IN': 10.2.32.1#53 ;; resolution failed: broken trust chain Expected results: ;; resolution failed: ncache nxrrset ; negative response, fully validated ; int. 3000 IN \-A ;-$NXRRSET ; int. SOA sns.dns.icann.org. noc.dns.icann.org. 2022040601 3600 1800 604800 3600 ; int. RRSIG SOA ... ; rtma1k8jfek31ikuajq7rie9dufhe33b.int. RRSIG NSEC3 ... ; rtma1k8jfek31ikuajq7rie9dufhe33b.int. NSEC3 1 0 5 398954BBB503FF9D S2BQ3UEQJHSGU7FE7M8QPQ563E9PTFH5 NS SOA RRSIG DNSKEY NSEC3PARAM Additional info: command "update-crypto-policies --set DEFAULT:SHA1" will switch to crypto policy, which would allow previous behaviour and success of both signature verification and creation. 1. https://datatracker.ietf.org/doc/html/rfc8624#section-3.1
Oh, stubby cannot be build on EPEL9 yet, because unbound-devel is not available. Bug #2056116 is filled to fix this. Until that, there is no chance to fix this possible failure or even test whether it is affected.
I guess now it can be build, and unbound/bind fixed the "sha1 is broken in crypto library" situation, but I'm not sure if stubby needs handling separate from libunnound for this. Likely not ?