Add Oracle Linux 9
RHEL9 (and by extension Oracle Linux 9) does not support SHA-1 for "cryptographic purposes" in it's default security policy. Fedora is to follow suit in around Fedora 39.
Currently the following tests fail:
-
system tests:
autosign,rsabigexponent,kasp,keymgr2kasp,dnssec. The FIPS support work in !4281 (merged) fixes some of these system tests for OL9. -
unit tests:
rsa_test. Not addressed in !4281 (merged).
[==========] Running 1 test(s).
[ RUN ] isc_rsa_verify
0x20009 != 0
[ LINE ] --- rsa_test.c:171: error: Failure!../../tests/unit-test-driver.sh: line 36: 14312 Aborted (core dumped) "${TEST_PROGRAM}"As a workaround we can enable SHA-1 in our Oracle Linux 9 image by update-crypto-policies --set DEFAULT:SHA1.
As it stands the workaround is currently no help for dnssec:check that NOTIFY is sent at the end of NSEC3 chain generation:
I:dnssec:sleeping ....
...
I:dnssec:sleeping ....
I:dnssec:nsec3 chain generation not complete
I:dnssec:failedPrereq: isc-projects/images!184 and !4281 (merged) (needs to be backported to v9.18 and v9.16 otherwise we can't test on OL9).