[dns-operations] DNSSEC and FIPS-140
James Stevens
James.Stevens at jrcs.co.uk
Sat Dec 1 13:06:17 UTC 2018
You're right - my mistake - I'm even more confused now
On 01/12/2018 13:03, Scott Morizot wrote:
> The only defined and IANA registered NSEC3 hash algorithm right now is
> SHA-1. See Sections 3.1.1 and 11 in RFC 5155.
>
> https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3
>
> So I'm not sure what you're interpreting as using MD5. I don't use
> PowerDNS in any context, so can't comment on it specifically.
>
> Scott
>
> On Sat, Dec 1, 2018 at 6:07 AM James Stevens <James.Stevens at jrcs.co.uk
> <mailto:James.Stevens at jrcs.co.uk>> wrote:
>
> We're trying to set up a DNSSEC DNS Master that is FIPS-140 compliant.
> Our preference is to use NSEC3.
>
> Our main problem right now is that MD5 is universally banned under
> FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
>
> Although the "default" hashing algorithm for NSEC3 is MD5, there is the
> option (in the RFC) to use others, but my feeling is that using MD5 is
> *so* prevalent that using a different hashing algorithm could cause
> validation issues on /some/ servers. I have no evidence for this - its
> just my gut instinct.
>
> I notice dot-GOV and dot-MIL both use MD5 and would think their signing
> would be FIPS-140?? But that's just a guess.
>
> We are looking at switching to NSEC, but right now, even that doesn't
> work for PowerDNS without MD5 support - I need to check the code to see
> why not.
>
>
> Has anybody else faced this?
> Any advice / comments?
>
>
>
> James
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> <mailto:dns-operations at lists.dns-oarc.net>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
More information about the dns-operations
mailing list