[dns-operations] DNSSEC and FIPS-140

James Stevens James.Stevens at jrcs.co.uk
Sat Dec 1 13:06:17 UTC 2018


You're right - my mistake - I'm even more confused now



On 01/12/2018 13:03, Scott Morizot wrote:
> The only defined and IANA registered NSEC3 hash algorithm right now is 
> SHA-1. See Sections 3.1.1 and 11 in RFC 5155.
> 
> https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3
> 
> So I'm not sure what you're interpreting as using MD5. I don't use 
> PowerDNS in any context, so can't comment on it specifically.
> 
> Scott
> 
> On Sat, Dec 1, 2018 at 6:07 AM James Stevens <James.Stevens at jrcs.co.uk 
> <mailto:James.Stevens at jrcs.co.uk>> wrote:
> 
>     We're trying to set up a DNSSEC DNS Master that is FIPS-140 compliant.
>     Our preference is to use NSEC3.
> 
>     Our main problem right now is that MD5 is universally banned under
>     FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
> 
>     Although the "default" hashing algorithm for NSEC3 is MD5, there is the
>     option (in the RFC) to use others, but my feeling is that using MD5 is
>     *so* prevalent that using a different hashing algorithm could cause
>     validation issues on /some/ servers. I have no evidence for this - its
>     just my gut instinct.
> 
>     I notice dot-GOV and dot-MIL both use MD5 and would think their signing
>     would be FIPS-140?? But that's just a guess.
> 
>     We are looking at switching to NSEC, but right now, even that doesn't
>     work for PowerDNS without MD5 support - I need to check the code to see
>     why not.
> 
> 
>     Has anybody else faced this?
>     Any advice / comments?
> 
> 
> 
>     James
>     _______________________________________________
>     dns-operations mailing list
>     dns-operations at lists.dns-oarc.net
>     <mailto:dns-operations at lists.dns-oarc.net>
>     https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>     dns-operations mailing list
>     https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 


More information about the dns-operations mailing list