On Thu, Oct 06, 2022 at 01:37:39PM -0400, Viktor Dukhovni wrote:
> It is possible that your resolver has fallen victim to the RHEL/Fedora
> "crypto policy" changes that by default disable (i.e. make fail)
> RSAwithSHA1 signature validation.
>
> https://lwn.net/Articles/887832/
> https://bugzilla.redhat.com/show_bug.cgi?id=2073066
>
> > Checking with my local resolver (unbound),
> >
> > dig +ad +noall +comment +ans +auth -t tlsa
> > _25._tcp.christopher-ew.state.gov
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 491
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> > ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 1232
>
> All the resolvers I've tried work. There's likely some FAQ or other
> documentation from RedHat about what you need to do to be able to
> continue to resolve DNSSEC zones signed with the deprecated, but still
> in use at some domains, algorithms 5 and 7 (RSA SHA1).
>
> https://stats.dnssec-tools.org/explore/?state.gov
>
> There may a more recent version of unbound that detects the lack of
> support and considers algorithms 5 and 7 as unsupported, and
> corresponding zones as "insecure" rather than "bogus".
>
> At https://stats.dnssec-tools.org you'll see that there ~155k zones
> that use algorithms 5 or 7, out of ~19.6 million zones total.
All that said, if the issue really were algorithm 5/7 breakage, you
wouldn't have been able to resolve the MX records for state.gov, so
likely the issue is still in your resolver, but something else...
--
Viktor.
