Anand Buddhdev writes:
> The zone is correctly signed, but with RSASHA1, which is not
> recommended. You may be on a Linux distro whose openssl disables old
> algorithms like RSASHA1, and so BIND will not be able to validate this zone.
Doesn't that violate a MUST in RFC 8624?
Mostly curious -
> On 19 Mar 2022, at 01:37, Anand Buddhdev wrote:
>
> On 18/03/2022 15:25, lejeczek via bind-users wrote:
>
> Hi L,
>
>> how to troubleshoot that?
>> ...
>> 18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure)
>> 18-Mar-2022 14:17:41.725 info: error:0398:digital envel
On 18/03/2022 14:36, Daniel Stirnimann wrote:
You might use an operating system / crypto library which do not support
SHA1 anymore. paypal.com is signed with RSASHA1.
See warnings on https://dnsviz.net/d/paypal.com/YjSWxg/dnssec/
Just curious what answer to you get from your resolver?
servfa
On 18/03/2022 15:25, lejeczek via bind-users wrote:
Hi L,
how to troubleshoot that?
...
18-Mar-2022 14:17:41.725 warning: EVP_VerifyFinal failed (verify failure)
18-Mar-2022 14:17:41.725 info: error:0398:digital envelope
routines::invalid digest:crypto/evp/pmeth_lib.c:959:
18-Mar-2022 14:1
You might use an operating system / crypto library which do not support
SHA1 anymore. paypal.com is signed with RSASHA1.
See warnings on https://dnsviz.net/d/paypal.com/YjSWxg/dnssec/
Just curious what answer to you get from your resolver?
servfail or a missing ad-bit?
Daniel
On 18.03.22 15:25,
5 matches
Mail list logo
