The crypto policy stuff ultimately creates and maintains files in /etc/crypto-policy/backends, which has a list of acceptable or not-acceptable crypto settings.
Whilst a "bind.config" is created, you aren't including it in your config (this is fine), which suggests that the issue is with some of openssl configurations (which will be system wide anyway). You can use the update-crypto-policies to update only the openssl configuration to allow sha1, or you could manually recreate those files (instead of the usual symlinks) and edit them individually as you please. Stuart From: bind-users <bind-users-boun...@lists.isc.org> on behalf of John Thurston <john.thurs...@alaska.gov> Date: Thursday, 18 April 2024 at 06:39 To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: Answers for www.dnssec-failed.org with dnssec-validation auto; Arrgh. You are correct. I was so far down in the weeds, I didn't notice a rock had fallen on my head. I know I can re-enable SHA1 for everything on the host with: update-crypto-policies --set DEFAULT:SHA1 But that's a fairly broad stroke, when only 'named' needs to accept such signatures. Is there a way to narrow it down? -- Do things because you should, not just because you can. John Thurston 907-465-8591 mailto:john.thurs...@alaska.gov Department of Administration State of Alaska On 4/17/2024 9:21 AM, Ondřej Surý wrote: Let me guess - you are running on RHEL (without SHA-1 support) and dnssec-failed.org is signed with RSA/SHA-1… -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
