From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 30 Aug 2012 12:02:53 +0000 (+0000)
Subject: - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
X-Git-Tag: release-1.4.19rc1~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5e5e89b9f5b5330bcffba59a6c4a6ab5abd4a281;p=thirdparty%2Funbound.git

- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.


git-svn-id: file:///svn/unbound/trunk@2753 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index ee65b512a..399ea9b46 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+30 August 2012: Wouter
+	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
+
 29 August 2012: Wouter
 	- Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
 
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index f3f861ee2..676399733 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -152,13 +152,8 @@ dnskey_algo_id_is_supported(int id)
 {
 	switch(id) {
 	case LDNS_RSAMD5:
-#ifdef HAVE_FIPS_MODE
-		/* openssl can return if the system is in FIPS mode, 
-		 * which does not allow MD5 hashes for network traffic */
-		return !FIPS_mode();
-#else
-		return 1;
-#endif
+		/* RFC 6725 deprecates RSAMD5 */
+		return 0;
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1:
@@ -621,8 +616,8 @@ dnskey_algo_id_is_supported(int id)
 	/* uses libNSS */
 	switch(id) {
 	case LDNS_RSAMD5:
-		/* disable MD5 support if FIPS mode is enabled in libnss */
-		return !PK11_IsFIPS();
+		/* RFC 6725 deprecates RSAMD5 */
+		return 0;
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1: