[dns-operations] DNSSEC and FIPS-140

Scott Morizot tmorizot at gmail.com
Sat Dec 1 13:03:24 UTC 2018


The only defined and IANA registered NSEC3 hash algorithm right now is
SHA-1. See Sections 3.1.1 and 11 in RFC 5155.

https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3

So I'm not sure what you're interpreting as using MD5. I don't use PowerDNS
in any context, so can't comment on it specifically.

Scott

On Sat, Dec 1, 2018 at 6:07 AM James Stevens <James.Stevens at jrcs.co.uk>
wrote:

> We're trying to set up a DNSSEC DNS Master that is FIPS-140 compliant.
> Our preference is to use NSEC3.
>
> Our main problem right now is that MD5 is universally banned under
> FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
>
> Although the "default" hashing algorithm for NSEC3 is MD5, there is the
> option (in the RFC) to use others, but my feeling is that using MD5 is
> *so* prevalent that using a different hashing algorithm could cause
> validation issues on /some/ servers. I have no evidence for this - its
> just my gut instinct.
>
> I notice dot-GOV and dot-MIL both use MD5 and would think their signing
> would be FIPS-140?? But that's just a guess.
>
> We are looking at switching to NSEC, but right now, even that doesn't
> work for PowerDNS without MD5 support - I need to check the code to see
> why not.
>
>
> Has anybody else faced this?
> Any advice / comments?
>
>
>
> James
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181201/088486d8/attachment.html>


More information about the dns-operations mailing list