[dns-operations] DNSSEC and FIPS-140

James Stevens James.Stevens at jrcs.co.uk
Sat Dec 1 15:23:10 UTC 2018

>> The reason for the confusion is that PowerDNS is unable to return
>> a RRSIG for NSEC or NSEC3 if MD5 is disabled at the O/S level.
>> It just  crashes.

>> But I have no idea why it would need it??
>> I need to look at the source.
> I think you need to take this discussion to a PowerDNS forum/mailing
> list. What you're saying doesn't seem possible. It's highly unlikely a
> query will cause a DNS server to crash because "MD5 is disabled at the
> O/S Level" (whatever you mean by that). However if your OS has a mangled
> SSL library, all bets are off.

Thanks, Jim. Sounds like you're right.

I was just trying to figure out if there was *any* reason why a zone 
signed NSEC or NSEC3, using ECDSA256 keys, would ever /legitimately/ 
need MD5.

The answer seems to be "no".
If so, this can only be an issue for PowerDNS.

We're running a PowerDNS Master on RHEL 7 installed with FIPS compliance,


... which (I believe) installs the FIPS OpenSSL module - 

RHEL/FIPS enforces FIPS compliance at the O/S level. e.g. it disables 
all non-FIPS-140 compliant algorithms (inc MD5) within OpenSSL, so they 
can't be used for any reason whatsoever.

On a PowerDNS master, with "exmaple.com" signed NSEC or NSEC3 with 
ECDA256 KSK & ZSK, this query works fine ...

$ dig @ example.com soa

... but this query will crash PowerDNS ...

$ dig +dnssec @ example.com soa

By "crash" I mean PowerDNS core-dumps - interestingly with signal 6, 
SIGABRT - so sounds like some kind of assertion has failed - like you 
said, looks like this needs to be taken up elsewhere.


More information about the dns-operations mailing list