Feature #21756
closed
Update bind puppet module to use FIPS-approved hash function for dhcpd shared secret
Updated by Anonymous about 7 years ago
- Related to Feature #3511: As a security person, I would like Foreman to run in FIPS mode added
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
- Status changed from New to Need more information
I'd argue this is currently a CANTFIX. According to rdnc.conf (https://linux.die.net/man/5/rndc.conf):
The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the encryption algorithm for rndc to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes.
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
Oh, looks like you can also use dnssec-keygen rather than rndc-confgen so maybe it's possible.
Updated by The Foreman Bot about 7 years ago
- Status changed from Need more information to Ready For Testing
- Assignee set to Anonymous
- Pull request https://github.com/theforeman/puppet-dns/pull/103 added
Updated by Anonymous about 7 years ago
Hash functions other than MD5 are supported in bind (and rndc-config) versions 9.10.0 and higher. See https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=4eb998928b9aef0ceda42d7529980d658138698a for details.
Updated by Anonymous about 7 years ago
Both bind and dhcpd use isc's implementations of crypto hash functions (including MD5) and appear to be unaffected by openssl operating in FIPS mode. I don't think any actions are required.
Updated by Anonymous about 7 years ago
- Status changed from Ready For Testing to Resolved
Updated by Ewoud Kohl van Wijngaarden about 7 years ago
- Status changed from Resolved to Rejected