[dns-operations] DNSSEC and FIPS-140

James Stevens James.Stevens at jrcs.co.uk
Sat Dec 1 15:23:10 UTC 2018


>> The reason for the confusion is that PowerDNS is unable to return
>> a RRSIG for NSEC or NSEC3 if MD5 is disabled at the O/S level.
>> It just  crashes.

>> But I have no idea why it would need it??
>>
>> I need to look at the source.
> 
> I think you need to take this discussion to a PowerDNS forum/mailing
> list. What you're saying doesn't seem possible. It's highly unlikely a
> query will cause a DNS server to crash because "MD5 is disabled at the
> O/S Level" (whatever you mean by that). However if your OS has a mangled
> SSL library, all bets are off.

Thanks, Jim. Sounds like you're right.

I was just trying to figure out if there was *any* reason why a zone 
signed NSEC or NSEC3, using ECDSA256 keys, would ever /legitimately/ 
need MD5.

The answer seems to be "no".
If so, this can only be an issue for PowerDNS.



We're running a PowerDNS Master on RHEL 7 installed with FIPS compliance,

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations

... which (I believe) installs the FIPS OpenSSL module - 
https://www.openssl.org/docs/fips.html


RHEL/FIPS enforces FIPS compliance at the O/S level. e.g. it disables 
all non-FIPS-140 compliant algorithms (inc MD5) within OpenSSL, so they 
can't be used for any reason whatsoever.


On a PowerDNS master, with "exmaple.com" signed NSEC or NSEC3 with 
ECDA256 KSK & ZSK, this query works fine ...

$ dig @127.0.0.1 example.com soa

... but this query will crash PowerDNS ...

$ dig +dnssec @127.0.0.1 example.com soa


By "crash" I mean PowerDNS core-dumps - interestingly with signal 6, 
SIGABRT - so sounds like some kind of assertion has failed - like you 
said, looks like this needs to be taken up elsewhere.



James


More information about the dns-operations mailing list