Shortly after release of CVE-2025-8677 users started reporting problems on RHEL machines. DEFAULT crypto policy does not permit verification of SHA1 algorithm since RHEL9. Threads: https://lists.isc.org/pipermail/bind-users/2025-October/110228.html https://lists.isc.org/pipermail/bind-users/2025-October/110223.html Turned out soon it happens only on dual signed zones, where one of algorithms is 5 or 7. On Fedora it is less important, because DEFAULT crypto policy does not prevent SHA1 signatures verification. But in some configurations it would be problem as well. Reproducible: Always Steps to Reproduce: 1. Have a zone signed with disabled algorithm (5 or 7 for example) together with signature of supported algorithm (8+) 2. Have dnssec-validation auto or yes 3. Actual Results: Resolution started getting SERVFAIL, although there is one valid signature at the record. Expected Results: Record is marked with AD bit and unsupported algorithm signature will be just skipped. Additional Information: This might happen when RSASHA1 and RSASHA1NSEC3 algorithms are disabled. That happens in Fedora with DEFAULT:NO-SHA1 crypto policy or by using disabled-algorithm in named.conf. Reported upstream: https://gitlab.isc.org/isc-projects/bind9/-/issues/5622 The first difference when trying it with delv +vtrace starts with:
https://gitlab.isc.org/isc-projects/bind9/-/issues/5622
FEDORA-2025-06c5a74197 (bind-9.18.41-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-06c5a74197
FEDORA-2025-3e245eae46 (bind-9.18.41-2.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e245eae46
FEDORA-2025-b1643093e5 (bind-9.18.41-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1643093e5
FEDORA-2025-3e245eae46 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3e245eae46` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e245eae46 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-b1643093e5 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b1643093e5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1643093e5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-06c5a74197 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-06c5a74197` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-06c5a74197 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-3e245eae46 (bind-9.18.41-2.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-06c5a74197 (bind-9.18.41-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-b1643093e5 (bind-9.18.41-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.