bleve
commented
1 month ago This issue is still visible with 1.21.0rc1
Open bleve opened 1 month ago
bleve
commented
1 month ago This issue is still visible with 1.21.0rc1
Describe the bug
When system openssl has disabled sha1 (centos-stream 9) and unbound is build with sha1 support, resolving domain wyvern.org is not possible.
Expected behavior
I'd expect resolving to work but as insecure.
System:
unbound -Voutput:Version 1.20.0
Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-systemd --with-dynlibmodule --enable-dnstap --with-dnstap-socket-path=/run/unbound/dnstap.sock --with-libnghttp2 --disable-gost --disable-rpath --disable-static --enable-ecdsa --enable-event-api --enable-ipsecmod --enable-linux-ip-local-port-range --enable-sha2 --with-chroot-dir= --with-conf-file=/etc/unbound/unbound.conf --with-libevent --with-pidfile= --with-pthreads --with-rootkey-file=/var/lib/unbound/root.key --with-run-dir=/etc/unbound --with-ssl Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.2.2 4 Jun 2024 Linked modules: dns64 dynlib ipsecmod respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information
This looks quite similar to issue #983 but not exactly same because configuration is broken different way for the domain. https://dnsviz.net/d/wyvern.org/dnssec/