Project

General

Profile

Feature #21756

Update bind puppet module to use FIPS-approved hash function for dhcpd shared secret

Added by Dmitri Dolguikh almost 4 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Related issues

Related to Foreman - Feature #3511: As a security person, I would like Foreman to run in FIPS modeResolved

History

#1 Updated by Dmitri Dolguikh almost 4 years ago

  • Related to Feature #3511: As a security person, I would like Foreman to run in FIPS mode added

#2 Updated by Ewoud Kohl van Wijngaarden almost 4 years ago

  • Status changed from New to Need more information

I'd argue this is currently a CANTFIX. According to rdnc.conf (https://linux.die.net/man/5/rndc.conf):

The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the encryption algorithm for rndc to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes.

#3 Updated by Ewoud Kohl van Wijngaarden almost 4 years ago

Oh, looks like you can also use dnssec-keygen rather than rndc-confgen so maybe it's possible.

#4 Updated by The Foreman Bot almost 4 years ago

  • Assignee set to Dmitri Dolguikh
  • Status changed from Need more information to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-dns/pull/103 added

#5 Updated by Dmitri Dolguikh almost 4 years ago

Hash functions other than MD5 are supported in bind (and rndc-config) versions 9.10.0 and higher. See https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=4eb998928b9aef0ceda42d7529980d658138698a for details.

#6 Updated by Dmitri Dolguikh almost 4 years ago

Both bind and dhcpd use isc's implementations of crypto hash functions (including MD5) and appear to be unaffected by openssl operating in FIPS mode. I don't think any actions are required.

#7 Updated by Dmitri Dolguikh almost 4 years ago

  • Status changed from Ready For Testing to Resolved

#8 Updated by Ewoud Kohl van Wijngaarden almost 4 years ago

  • Status changed from Resolved to Rejected

Also available in: Atom PDF