Unbound 1.11.0 FIPS mode issue

Wouter Wijngaards wouter at nlnetlabs.nl
Fri May 7 12:32:25 UTC 2021

Hi Paul, Mohammad,

On 06/05/2021 20:58, Paul Wouters via Unbound-users wrote:
> On Thu, 6 May 2021, Mohammad Rafiq -X (mohrafiq - HCL TECHNOLOGIES
> LIMITED at Cisco) via Unbound-users wrote:
>>                 We are trying to enable verbosity in unbound, so far
>> we have tried below flags at the time of build.
> Why not set verbosity: in the unbound.conf configuration file ?
>> Our goal is to add debug logs to identify code snippet where signature
>> verification takes place, to check the feasibility of bypassing FIPS
>> mode check and verify 1024 key sizes.
> This seems the wrong way of doing this. unbound should properly
> recognise when an algorithm is not available/configured to be
> used, and mark the algorithm properly as unsupported/unknown,
> so that existing code paths that already support this, does
> the right thing.

Yes, I agree, and the commit
implements it.

The ./configure --with-deprecate-rsa-1024 can be used to make unbound
ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.

Best regards, Wouter

More information about the Unbound-users mailing list