[dns-operations] DNSSEC and FIPS-140
James Stevens
James.Stevens at jrcs.co.uk
Sat Dec 1 11:58:09 UTC 2018
We're trying to set up a DNSSEC DNS Master that is FIPS-140 compliant.
Our preference is to use NSEC3.
Our main problem right now is that MD5 is universally banned under
FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
Although the "default" hashing algorithm for NSEC3 is MD5, there is the
option (in the RFC) to use others, but my feeling is that using MD5 is
*so* prevalent that using a different hashing algorithm could cause
validation issues on /some/ servers. I have no evidence for this - its
just my gut instinct.
I notice dot-GOV and dot-MIL both use MD5 and would think their signing
would be FIPS-140?? But that's just a guess.
We are looking at switching to NSEC, but right now, even that doesn't
work for PowerDNS without MD5 support - I need to check the code to see
why not.
Has anybody else faced this?
Any advice / comments?
James
More information about the dns-operations
mailing list