Unbound 1.11.0 FIPS mode issue

Paul Wouters paul at nohats.ca
Fri May 7 14:03:32 UTC 2021


On Fri, 7 May 2021, Wouter Wijngaards wrote:

>> This seems the wrong way of doing this. unbound should properly
>> recognise when an algorithm is not available/configured to be
>> used, and mark the algorithm properly as unsupported/unknown,
>> so that existing code paths that already support this, does
>> the right thing.
>
> Yes, I agree, and the commit
> https://github.com/NLnetLabs/unbound/commit/59ea44322ea468e3dfcc056870f66136707b475d
> implements it.
>
> The ./configure --with-deprecate-rsa-1024 can be used to make unbound
> ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
> insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.

Excellent, now do --with-deprecate-sha1 and --without-deprecate-md5 :)

Paul


More information about the Unbound-users mailing list