Unbound 1.11.0 FIPS mode issue

Wouter Wijngaards wouter at nlnetlabs.nl
Fri May 7 14:14:58 UTC 2021

Hi Paul,

On 07/05/2021 16:03, Paul Wouters wrote:
> On Fri, 7 May 2021, Wouter Wijngaards wrote:
>>> This seems the wrong way of doing this. unbound should properly
>>> recognise when an algorithm is not available/configured to be
>>> used, and mark the algorithm properly as unsupported/unknown,
>>> so that existing code paths that already support this, does
>>> the right thing.
>> Yes, I agree, and the commit
>> https://github.com/NLnetLabs/unbound/commit/59ea44322ea468e3dfcc056870f66136707b475d
>> implements it.
>> The ./configure --with-deprecate-rsa-1024 can be used to make unbound
>> ignore RSA 1024 keys. The result of a lookup for mail.ietf.org is then
>> insecure, not bogus. Perhaps this works with your OpenSSL FIPS setup.
> Excellent, now do --with-deprecate-sha1 and --without-deprecate-md5 :)

This is called ./configure --disable-sha1 that disables SHA1 in that
manner. RSAMD5 is unsupported by default, deprecated in RFC 6725.

Best regards, Wouter

More information about the Unbound-users mailing list