Unbound 1.11.0 FIPS mode issue

Mohammad Rafiq -X (mohrafiq - HCL TECHNOLOGIES LIMITED at Cisco) mohrafiq at cisco.com
Thu May 6 18:24:31 UTC 2021


Hi All,
                We are trying to enable verbosity in unbound, so far we have tried below flags at the time of build.
--verbose
--with-syslog-facility
./configure --verbose --with-syslog-facility=LOCAL0
Could not find where the additional logs are saved. Also kindly help us where we can configure the path for LOCAL0 through 7.
Our goal is to add debug logs to identify code snippet where signature verification takes place, to check the feasibility of bypassing FIPS mode check and verify 1024 key sizes.
Appreciate any inputs on the above queries.
Thanks,
rafiq

[logo_Grey]

Mohammad Rafiq
Technical Lead
mohrafiq at cisco.com<mailto:mohrafiq at cisco.com>
Tel:
Cisco Systems, Inc.
SDB-7, Unit-IV, GF,1F-4F,ELCOT SEZ #602/3, Sholinganallur
CHENNAI
600 119
India
cisco.com

[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

From: Mohammad Rafiq -X (mohrafiq - HCL TECHNOLOGIES LIMITED at Cisco)
Sent: 06 May 2021 01:01
To: 'unbound-users at lists.nlnetlabs.nl' <unbound-users at lists.nlnetlabs.nl>
Subject: RE: Unbound 1.11.0 FIPS mode issue

Hi All,
                Can anyone share information on function that does signature verification in unbound library (version 1.11.0).
Is there any way to bypass FIPS mode setting and allow signature verification for 1024 key sizes as well in FIPS mode in unbound. Or can we use any openssl flag to disable FIPS mode for unbound. Appreciate any inputs on this.
Thanks,
rafiq

[logo_Grey]

Mohammad Rafiq
Technical Lead
mohrafiq at cisco.com<mailto:mohrafiq at cisco.com>
Tel:
Cisco Systems, Inc.
SDB-7, Unit-IV, GF,1F-4F,ELCOT SEZ #602/3, Sholinganallur
CHENNAI
600 119
India
cisco.com

[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

From: Mohammad Rafiq -X (mohrafiq - HCL TECHNOLOGIES LIMITED at Cisco)
Sent: 30 April 2021 21:01
To: unbound-users at lists.nlnetlabs.nl<mailto:unbound-users at lists.nlnetlabs.nl>
Subject: Unbound 1.11.0 FIPS mode issue

Hi There,
                While trying to verify DANE compliance for a domain, we are facing RSA signature verification issue in FIPS mode for 1024 key sizes.
As per our understanding we could see in Non FIPS mode, (openssl) rsa_sign.c RSA_verify functions is taking care of signature verification and its passing.
In FIPS mode we see that unbound doesn't call RSA_verify, could you help us understand if there is any other was verification takes place.
Below is the unbound query response for ietf.org.

Answer in Non FIPS mode:
<dns_reply rcode=0 q:[] an:[('MX', 'ietf.org', 0, 'SECURE', 3963714400605L, (0, 'mail.ietf.org'))] ns:[] ar:[]>
<dns_reply rcode=0 q:[] an:[('A', 'mail.ietf.org', 0, 'SECURE', 3963714400605L, '4.31.198.44')] ns:[] ar:[]>
<dns_reply rcode=0 q:[] an:[] ns:[] ar:[]>
<dns_reply rcode=0 q:[] an:[('TLSA', '_25._tcp.mail.ietf.org', 0, 'SECURE', 3969483822987L, '0301010c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6')] ns:[] ar:[]>

Answer in FIPS mode:
<dns_reply rcode=0 q:[] an:[('MX', 'ietf.org', 0, 'BOGUS', 4274224824212L, (0, 'mail.ietf.org'))]
<dns_reply rcode=0 q:[] an:[('A', 'mail.ietf.org', 0, 'BOGUS', 4274224824212L, '4.31.198.44')] ns:[] ar:[]>

We appreciate any inputs on how we can verify 1024 key sizes signature verification in FIPS mode.
Thanks,
rafiq


[logo_Grey]

Mohammad Rafiq
Technical Lead
mohrafiq at cisco.com<mailto:mohrafiq at cisco.com>
Tel:
Cisco Systems, Inc.
SDB-7, Unit-IV, GF,1F-4F,ELCOT SEZ #602/3, Sholinganallur
CHENNAI
600 119
India
cisco.com

[http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif]Think before you print.
This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.
Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210506/ba050e6a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 134 bytes
Desc: image003.gif
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210506/ba050e6a/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 2957 bytes
Desc: image004.jpg
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210506/ba050e6a/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2957 bytes
Desc: image001.jpg
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210506/ba050e6a/attachment-0003.jpg>


More information about the Unbound-users mailing list