[dns-operations] DNSSEC and FIPS-140

James Stevens James.Stevens at jrcs.co.uk
Sat Dec 1 14:31:03 UTC 2018


The reason for the confusion is that PowerDNS is unable to return a 
RRSIG for NSEC or NSEC3 if MD5 is disabled at the O/S level. It just 
crashes.

But I have no idea why it would need it??

I need to look at the source.



James


On 01/12/2018 13:06, James Stevens wrote:
> You're right - my mistake - I'm even more confused now
> 
> 
> 
> On 01/12/2018 13:03, Scott Morizot wrote:
>> The only defined and IANA registered NSEC3 hash algorithm right now is 
>> SHA-1. See Sections 3.1.1 and 11 in RFC 5155.
>>
>> https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3 
>>
>>
>> So I'm not sure what you're interpreting as using MD5. I don't use 
>> PowerDNS in any context, so can't comment on it specifically.
>>
>> Scott
>>
>> On Sat, Dec 1, 2018 at 6:07 AM James Stevens <James.Stevens at jrcs.co.uk 
>> <mailto:James.Stevens at jrcs.co.uk>> wrote:
>>
>>     We're trying to set up a DNSSEC DNS Master that is FIPS-140 
>> compliant.
>>     Our preference is to use NSEC3.
>>
>>     Our main problem right now is that MD5 is universally banned under
>>     FIPS-140. The OpenSSL FIPS module simply blocks its use completely.
>>
>>     Although the "default" hashing algorithm for NSEC3 is MD5, there 
>> is the
>>     option (in the RFC) to use others, but my feeling is that using 
>> MD5 is
>>     *so* prevalent that using a different hashing algorithm could cause
>>     validation issues on /some/ servers. I have no evidence for this - 
>> its
>>     just my gut instinct.
>>
>>     I notice dot-GOV and dot-MIL both use MD5 and would think their 
>> signing
>>     would be FIPS-140?? But that's just a guess.
>>
>>     We are looking at switching to NSEC, but right now, even that doesn't
>>     work for PowerDNS without MD5 support - I need to check the code 
>> to see
>>     why not.
>>
>>
>>     Has anybody else faced this?
>>     Any advice / comments?
>>
>>
>>
>>     James
>>     _______________________________________________
>>     dns-operations mailing list
>>     dns-operations at lists.dns-oarc.net
>>     <mailto:dns-operations at lists.dns-oarc.net>
>>     https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>     dns-operations mailing list
>>     https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list