[dns-operations] DNSSEC and FIPS-140
James Stevens
James.Stevens at jrcs.co.uk
Sat Dec 1 14:31:03 UTC 2018
The reason for the confusion is that PowerDNS is unable to return a
RRSIG for NSEC or NSEC3 if MD5 is disabled at the O/S level. It just
crashes.
But I have no idea why it would need it??
I need to look at the source.
James
On 01/12/2018 13:06, James Stevens wrote:
> You're right - my mistake - I'm even more confused now
>
>
>
> On 01/12/2018 13:03, Scott Morizot wrote:
>> The only defined and IANA registered NSEC3 hash algorithm right now is
>> SHA-1. See Sections 3.1.1 and 11 in RFC 5155.
>>
>> https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3
>>
>>
>> So I'm not sure what you're interpreting as using MD5. I don't use
>> PowerDNS in any context, so can't comment on it specifically.
>>
>> Scott
>>
>> On Sat, Dec 1, 2018 at 6:07 AM James Stevens <James.Stevens at jrcs.co.uk
>> <mailto:James.Stevens at jrcs.co.uk>> wrote:
>>
>> We're trying to set up a DNSSEC DNS Master that is FIPS-140
>> compliant.
>> Our preference is to use NSEC3.
>>
>> Our main problem right now is that MD5 is universally banned under
>> FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
>>
>> Although the "default" hashing algorithm for NSEC3 is MD5, there
>> is the
>> option (in the RFC) to use others, but my feeling is that using
>> MD5 is
>> *so* prevalent that using a different hashing algorithm could cause
>> validation issues on /some/ servers. I have no evidence for this -
>> its
>> just my gut instinct.
>>
>> I notice dot-GOV and dot-MIL both use MD5 and would think their
>> signing
>> would be FIPS-140?? But that's just a guess.
>>
>> We are looking at switching to NSEC, but right now, even that doesn't
>> work for PowerDNS without MD5 support - I need to check the code
>> to see
>> why not.
>>
>>
>> Has anybody else faced this?
>> Any advice / comments?
>>
>>
>>
>> James
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> <mailto:dns-operations at lists.dns-oarc.net>
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-operations mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list