<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="text-align:justify">Hi There,<o:p></o:p></p>
<p class="MsoNormal" style="text-align:justify"> While trying to verify DANE compliance for a domain, we are facing RSA signature verification issue in FIPS mode for 1024 key sizes.<o:p></o:p></p>
<p class="MsoNormal" style="text-align:justify">As per our understanding we could see in Non FIPS mode, (openssl) rsa_sign.c RSA_verify functions is taking care of signature verification and its passing.<o:p></o:p></p>
<p class="MsoNormal" style="text-align:justify">In FIPS mode we see that unbound doesn’t call RSA_verify, could you help us understand if there is any other was verification takes place.<o:p></o:p></p>
<p class="MsoNormal" style="text-align:justify">Below is the unbound query response for ietf.org.<o:p></o:p></p>
<p class="MsoNormal" style="text-align:justify"><o:p> </o:p></p>
<p class="MsoNormal">Answer in Non FIPS mode:<o:p></o:p></p>
<p class="MsoNormal"><dns_reply rcode=0 q:[] an:[('MX', 'ietf.org', 0, 'SECURE', 3963714400605L, (0, 'mail.ietf.org'))] ns:[] ar:[]><o:p></o:p></p>
<p class="MsoNormal"><dns_reply rcode=0 q:[] an:[('A', 'mail.ietf.org', 0, 'SECURE', 3963714400605L, '4.31.198.44')] ns:[] ar:[]><o:p></o:p></p>
<p class="MsoNormal"><dns_reply rcode=0 q:[] an:[] ns:[] ar:[]><o:p></o:p></p>
<p class="MsoNormal"><dns_reply rcode=0 q:[] an:[('TLSA', '_25._tcp.mail.ietf.org', 0, 'SECURE', 3969483822987L, '0301010c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6')] ns:[] ar:[]><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Answer in FIPS mode:<o:p></o:p></p>
<p class="MsoNormal"><dns_reply rcode=0 q:[] an:[('MX', 'ietf.org', 0, 'BOGUS', 4274224824212L, (0, 'mail.ietf.org'))]<o:p></o:p></p>
<p class="MsoNormal"><dns_reply rcode=0 q:[] an:[('A', 'mail.ietf.org', 0, 'BOGUS', 4274224824212L, '4.31.198.44')] ns:[] ar:[]><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We appreciate any inputs on how we can verify 1024 key sizes signature verification in FIPS mode.<o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">rafiq<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:407.25pt">
<tbody>
<tr>
<td colspan="3" style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"><span style="mso-fareast-language:EN-IN"><img width="602" height="78" style="width:6.2708in;height:.8125in" id="Picture_x0020_1" src="cid:image002.jpg@01D73E03.DC38C150" alt="logo_Grey"></span><span style="font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-IN"><o:p></o:p></span></p>
</td>
</tr>
<tr style="height:7.5pt">
<td style="padding:0cm 0cm 0cm 0cm;height:7.5pt">
<p class="MsoNormal"><span style="font-size:1.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-IN"> <o:p></o:p></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm;height:7.5pt"></td>
<td style="padding:0cm 0cm 0cm 0cm;height:7.5pt"></td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0cm 0cm 0cm 18.0pt">
<p class="MsoNormal"><b><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN">Mohammad Rafiq</span></b><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN">Technical Lead<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN"><a href="mailto:mohrafiq@cisco.com"><span style="color:#666666;text-decoration:none">mohrafiq@cisco.com</span></a></span><span style="mso-fareast-language:EN-IN"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN">Tel:
<o:p></o:p></span></p>
</td>
<td width="352" valign="top" style="width:206.25pt;padding:0cm 0cm 0cm 15.0pt">
<p class="MsoNormal"><b><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN">Cisco Systems, Inc.<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-IN">SDB-7, Unit-IV, GF,1F-4F,ELCOT SEZ #602/3, Sholinganallur<br>
CHENNAI<br>
600 119<br>
India<br>
cisco.com</span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#666666"><o:p></o:p></span></p>
</td>
<td style="padding:0cm 0cm 0cm 0cm"></td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman",serif;display:none;mso-fareast-language:EN-IN"><o:p> </o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:300.0pt">
<tbody>
<tr>
<td style="padding:0cm 15.0pt 0cm 18.0pt">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#009900;mso-fareast-language:EN-IN"><img border="0" width="18" height="19" style="width:.1875in;height:.1979in" id="Picture_x0020_3" src="cid:image003.gif@01D73E03.81948FE0" alt="http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif">Think
before you print.<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0cm 15.0pt 0cm 18.0pt">
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#999999;mso-fareast-language:EN-IN">This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution
or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#999999;mso-fareast-language:EN-IN">Please
<a href="http://www.cisco.com/web/about/doing_business/legal/cri/index.html" title="Legal Information">
<span style="color:#0E58A0">click here</span></a> for Company Registration Information.<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>