[dns-operations] DNSSEC and FIPS-140

Mukund Sivaraman muks at mukund.org
Sat Dec 1 13:05:47 UTC 2018


On Sat, Dec 01, 2018 at 11:58:09AM +0000, James Stevens wrote:
> We're trying to set up a DNSSEC DNS Master that is FIPS-140 compliant. Our
> preference is to use NSEC3.
> 
> Our main problem right now is that MD5 is universally banned under FIPS-140.
> The OpenSSL FIPS module simply blocks its use completely.
> 
> Although the "default" hashing algorithm for NSEC3 is MD5, there is the

The hash function specified for NSEC3 is SHA-1. MD5 is not used with
NSEC3. Also, the way NSEC3 uses SHA-1, it is unlikely to suffer from
weaknesses in the hash function in the same way as signature
applications.

		Mukund



More information about the dns-operations mailing list