> On 19 Mar 2022, at 01:37, Anand Buddhdev <ana...@ripe.net> wrote: > > On 18/03/2022 15:25, lejeczek via bind-users wrote: > > Hi L, > >> how to troubleshoot that? >> ... >> 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure) >> 18-Mar-2022 14:17:41.725 info: error:03000098:digital envelope >> routines::invalid digest:crypto/evp/pmeth_lib.c:959: >> 18-Mar-2022 14:17:41.725 info: validating paypal.com/DNSKEY: no valid >> signature found >> ... >> I'd imagine must some up-the-chain servers doing something there - my local >> 'bind' does not point/use any specific forwarders. > > The zone is correctly signed, but with RSASHA1, which is not recommended. You > may be on a Linux distro whose openssl disables old algorithms like RSASHA1, > and so BIND will not be able to validate this zone.
If so disable the given algorithms and digests in named.conf so that named can treat the zones as insecure. I will note that with FIPS mode you can still verify zones signed with RSASHA1 but not sign with RSASHA1. I’m also thinking what is the point of allowing EVP_DigestInit_ex to succeed if you can’t sign or verify. > Regards, > Anand > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
