[dns-operations] DNSSEC and FIPS-140

Florian Weimer fweimer at redhat.com
Sat Dec 1 14:09:17 UTC 2018

* James Stevens:

> We're trying to set up a DNSSEC DNS Master that is FIPS-140
> compliant. Our preference is to use NSEC3.
> Our main problem right now is that MD5 is universally banned under
> FIPS-140. The OpenSSL FIPS module simply blocks its use completely.

You can banned algorithms with FIPS-140 if it does not perform any
cryptographic function.  The canonical example is password hashing when
the hashes are kept secret by other means.

I think you could make a purpose that the hashing in NSEC3 does not
serve a cryptographic purpose.


More information about the dns-operations mailing list