[dns-operations] DNSSEC and FIPS-140
Florian Weimer
fweimer at redhat.com
Sat Dec 1 14:09:17 UTC 2018
* James Stevens:
> We're trying to set up a DNSSEC DNS Master that is FIPS-140
> compliant. Our preference is to use NSEC3.
>
> Our main problem right now is that MD5 is universally banned under
> FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
You can banned algorithms with FIPS-140 if it does not perform any
cryptographic function. The canonical example is password hashing when
the hashes are kept secret by other means.
I think you could make a purpose that the hashing in NSEC3 does not
serve a cryptographic purpose.
Thanks,
Florian
More information about the dns-operations
mailing list