2413104 – Regression with disabled algorithms after CVE-2025-8677 fixes

Bug 2413104 - Regression with disabled algorithms after CVE-2025-8677 fixes

Summary: Regression with disabled algorithms after CVE-2025-8677 fixes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bind9-next
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Petr Menšík
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2025-8677 2413070
Blocks:
TreeView+	depends on / blocked

Reported:	2025-11-06 14:54 UTC by Petr Menšík
Modified:	2025-11-16 01:20 UTC (History)
CC List:	7 users (show)
Fixed In Version:	bind9-next-9.21.14-2.fc44 bind9-next-9.21.14-2.fc42 bind9-next-9.21.14-2.fc43
Clone Of:	2413070
Environment:
Last Closed:	2025-11-06 16:27:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Menšík 2025-11-06 14:54:21 UTC

+++ This bug was initially created as a clone of Bug #2413070 +++

Shortly after release of CVE-2025-8677 users started reporting problems on RHEL machines. DEFAULT crypto policy does not permit verification of SHA1 algorithm since RHEL9.

Threads:
https://lists.isc.org/pipermail/bind-users/2025-October/110228.html
https://lists.isc.org/pipermail/bind-users/2025-October/110223.html

Turned out soon it happens only on dual signed zones, where one of algorithms is 5 or 7.

On Fedora it is less important, because DEFAULT crypto policy does not prevent SHA1 signatures verification. But in some configurations it would be problem as well.

Reproducible: Always

Steps to Reproduce:
1. Have a zone signed with disabled algorithm (5 or 7 for example) together with signature of supported algorithm (8+)
2. Have dnssec-validation auto or yes
3.
Actual Results:
Resolution started getting SERVFAIL, although there is one valid signature at the record.

Expected Results:
Record is marked with AD bit and unsupported algorithm signature will be just skipped.

Additional Information:
This might happen when RSASHA1 and RSASHA1NSEC3 algorithms are disabled. That happens in Fedora with DEFAULT:NO-SHA1 crypto policy or by using disabled-algorithm in named.conf.

Reported upstream: https://gitlab.isc.org/isc-projects/bind9/-/issues/5622

The first difference when trying it with delv +vtrace starts with:

--- Additional comment from Petr Menšík on 2025-11-06 12:24:02 CET ---

https://gitlab.isc.org/isc-projects/bind9/-/issues/5622

--- Additional comment from Fedora Update System on 2025-11-06 14:05:02 CET ---

FEDORA-2025-06c5a74197 (bind-9.18.41-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-06c5a74197

--- Additional comment from Fedora Update System on 2025-11-06 14:06:10 CET ---

FEDORA-2025-3e245eae46 (bind-9.18.41-2.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e245eae46

--- Additional comment from Fedora Update System on 2025-11-06 15:29:27 CET ---

FEDORA-2025-b1643093e5 (bind-9.18.41-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b1643093e5

Comment 1 Fedora Update System 2025-11-06 16:24:24 UTC

FEDORA-2025-4faf6b7b75 (bind9-next-9.21.14-2.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-4faf6b7b75

Comment 2 Fedora Update System 2025-11-06 16:27:42 UTC

FEDORA-2025-4faf6b7b75 (bind9-next-9.21.14-2.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Update System 2025-11-07 11:10:38 UTC

FEDORA-2025-b68f7f541d (bind9-next-9.21.14-2.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-b68f7f541d

Comment 4 Fedora Update System 2025-11-07 11:10:59 UTC

FEDORA-2025-d9f9394ecd (bind9-next-9.21.14-2.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-d9f9394ecd

Comment 5 Fedora Update System 2025-11-08 02:03:17 UTC

FEDORA-2025-b68f7f541d has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-b68f7f541d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-b68f7f541d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2025-11-08 02:19:34 UTC

FEDORA-2025-d9f9394ecd has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d9f9394ecd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d9f9394ecd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2025-11-16 00:55:02 UTC

FEDORA-2025-d9f9394ecd (bind9-next-9.21.14-2.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2025-11-16 01:20:25 UTC

FEDORA-2025-b68f7f541d (bind9-next-9.21.14-2.fc43) has been pushed to the Fedora 43 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.