Unbound 1.11.0 FIPS mode issue

Paul Wouters paul at nohats.ca
Fri May 7 13:43:28 UTC 2021



On May 2, 2021, at 13:12, Florian Weimer via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
> 
> * Tuomo Soini via Unbound-users:
> 
>>> On Fri, 30 Apr 2021 15:30:35 +0000
>>> "Mohammad Rafiq -X \(mohrafiq - HCL TECHNOLOGIES LIMITED at Cisco\) via
>>> Unbound-users" <unbound-users at lists.nlnetlabs.nl> wrote:
>>> We appreciate any inputs on how we can verify 1024 key sizes
>>> signature verification in FIPS mode. Thanks,
>>> rafiq
>> Afaik you can't. 1024 bit keys are not permitted by FIPS.
> 
> But shouldn't the result be insecure, and not bogus in this case?


Yes it should be. Just like for when SHA-1 is not available.

Unfortunately, unbound doesn’t check on startup wether these algorithms and key sizes are working.

Or alternatively, it does not accept an option that could be set to mark things as insecure. 

The latter would be great, since then the system wise crypro policies can drop an include file in unbound.d to configure it properly.

I’ll see about creating a patch for this.

Paul


More information about the Unbound-users mailing list