[dns-operations] DNSSEC and FIPS-140

James Stevens James.Stevens at jrcs.co.uk
Sat Dec 1 11:58:09 UTC 2018

We're trying to set up a DNSSEC DNS Master that is FIPS-140 compliant. 
Our preference is to use NSEC3.

Our main problem right now is that MD5 is universally banned under 
FIPS-140. The OpenSSL FIPS module simply blocks its use completely.

Although the "default" hashing algorithm for NSEC3 is MD5, there is the 
option (in the RFC) to use others, but my feeling is that using MD5 is 
*so* prevalent that using a different hashing algorithm could cause 
validation issues on /some/ servers. I have no evidence for this - its 
just my gut instinct.

I notice dot-GOV and dot-MIL both use MD5 and would think their signing 
would be FIPS-140?? But that's just a guess.

We are looking at switching to NSEC, but right now, even that doesn't 
work for PowerDNS without MD5 support - I need to check the code to see 
why not.

Has anybody else faced this?
Any advice / comments?


More information about the dns-operations mailing list