Unbound 1.11.0 FIPS mode issue

Mohammad Rafiq -X (mohrafiq - HCL TECHNOLOGIES LIMITED at Cisco) mohrafiq at cisco.com
Fri Apr 30 15:30:35 UTC 2021 

Hi There,
                While trying to verify DANE compliance for a domain, we are facing RSA signature verification issue in FIPS mode for 1024 key sizes.
As per our understanding we could see in Non FIPS mode, (openssl) rsa_sign.c RSA_verify functions is taking care of signature verification and its passing.
In FIPS mode we see that unbound doesn't call RSA_verify, could you help us understand if there is any other was verification takes place.
Below is the unbound query response for ietf.org.

Answer in Non FIPS mode:
<dns_reply rcode=0 q:[] an:[('MX', 'ietf.org', 0, 'SECURE', 3963714400605L, (0, 'mail.ietf.org'))] ns:[] ar:[]>
<dns_reply rcode=0 q:[] an:[('A', 'mail.ietf.org', 0, 'SECURE', 3963714400605L, '4.31.198.44')] ns:[] ar:[]>
<dns_reply rcode=0 q:[] an:[] ns:[] ar:[]>
<dns_reply rcode=0 q:[] an:[('TLSA', '_25._tcp.mail.ietf.org', 0, 'SECURE', 3969483822987L, '0301010c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6')] ns:[] ar:[]>

Answer in FIPS mode:
<dns_reply rcode=0 q:[] an:[('MX', 'ietf.org', 0, 'BOGUS', 4274224824212L, (0, 'mail.ietf.org'))]
<dns_reply rcode=0 q:[] an:[('A', 'mail.ietf.org', 0, 'BOGUS', 4274224824212L, '4.31.198.44')] ns:[] ar:[]>

We appreciate any inputs on how we can verify 1024 key sizes signature verification in FIPS mode.
Thanks,
rafiq


[logo_Grey]

Mohammad Rafiq
Technical Lead
mohrafiq at cisco.com<mailto:mohrafiq at cisco.com>
Tel:
Cisco Systems, Inc.
SDB-7, Unit-IV, GF,1F-4F,ELCOT SEZ #602/3, Sholinganallur
CHENNAI
600 119
India
cisco.com

[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210430/17fb7204/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 134 bytes
Desc: image003.gif
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210430/17fb7204/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 2957 bytes
Desc: image002.jpg
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210430/17fb7204/attachment.jpg>

More information about the Unbound-users mailing list