Unbound 1.11.0 FIPS mode issue
Wouter Wijngaards
wouter at nlnetlabs.nl
Fri May 7 12:32:25 UTC 2021
Hi Paul, Mohammad,
On 06/05/2021 20:58, Paul Wouters via Unbound-users wrote:
> On Thu, 6 May 2021, Mohammad Rafiq -X (mohrafiq - HCL TECHNOLOGIES
> LIMITED at Cisco) via Unbound-users wrote:
>
>> We are trying to enable verbosity in unbound, so far
>> we have tried below flags at the time of build.
>
> Why not set verbosity: in the unbound.conf configuration file ?
>
>> Our goal is to add debug logs to identify code snippet where signature
>> verification takes place, to check the feasibility of bypassing FIPS
>> mode check and verify 1024 key sizes.
>
> This seems the wrong way of doing this. unbound should properly
> recognise when an algorithm is not available/configured to be
> used, and mark the algorithm properly as unsupported/unknown,
> so that existing code paths that already support this, does
> the right thing.
Yes, I agree, and the commit
https://github.com/NLnetLabs/unbound/commit/59ea44322ea468e3dfcc056870f66136707b475d
implements it.
The ./configure --with-deprecate-rsa-1024 can be used to make unbound
ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.
Best regards, Wouter
More information about the Unbound-users
mailing list