Hello everyone,
after upgrading to F41 I noticed that some websites stopped working that were still loading on my mobile or my non-Fedora laptop.
The problem was the following:
➜ ~ resolvectl query fio.cz
fio.cz: resolve call failed: DNSSEC validation failed: failed-auxiliary
We can see the DNSSEC validation issue also with delv
➜ ~ delv fio.cz
;; validating fio.cz/A: no valid signature found
; unsigned answer
fio.cz. 5123 IN A 92.38.6.11
fio.cz. 5123 IN RRSIG A 5 2 7200 20241127134707 20241028131819 48246 fio.cz. A7JoXc676r8aI7FZvK4Ey2HIWiA8/75lbM6ZcN19ayfv+p2bF9iAQplv kLcoCtURKav9e/hpxWv4SqwAidisHaKO6mdBo6K1jWMf2F7R649wlRAG PwsYestUD4J0Z35QDGBUua7+J0M6Is0in6fX6BdHC5v9xH/Nq9AquVs+ s8s=
Now, we can see that bind says “no valid signature found”, however the answer contains a valid RRSIG. I also verified that the signature is indeed valid, but uses an older algorithm RSA/SHA1 (algo number 5).
I figured out that the allowed DNSSEC policies on Fedora are managed by crypto-policies
# update-crypto-policies --show
DEFAULT
I tried setting this to LEGACY
and restarting systemd-resolved
# update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
# systemctl restart systemd-resolved.service
#
Now the same query succeeds and the website is loading in the browser.
➜ ~ resolvectl query fio.cz
fio.cz: 92.38.6.11 -- link: wlo1
-- Information acquired via protocol DNS in 50.2ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: no
-- Data from: network
My question is, if it was intentional to drop RSA/SHA1 support in the default policy already?
According to RFC 8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC the RSA/SHA1 algorithm, while NOT RECOMMENDED to be used for signing, it is still a MUST for validation implementations, so I would still expect it to be working out-of-box in the DEFAULT policy.