--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "rsasha256" {
+ keys {
+ csk lifetime P10Y algorithm rsasha256 2048;
+ };
+ nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha256-bad" {
+ keys {
+ csk lifetime P10Y algorithm rsasha256 2048;
+ };
+ nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha512" {
+ keys {
+ csk lifetime P10Y algorithm rsasha512 4096;
+ };
+ nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha512-bad" {
+ keys {
+ csk lifetime P10Y algorithm rsasha512 4096;
+ };
+ nsec3param iterations 151;
+};
+
+zone "example.net" {
+ type primary;
+ file "example.db";
+ dnssec-policy "default";
+ inline-signing yes;
+};
n=`expr $n + 1`
echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
ret=0
-$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
+if $FEATURETEST --have-fips-mode; then
+ conf=kasp-bad-nsec3-iter-fips.conf
+ expect=2
+else
+ conf=kasp-bad-nsec3-iter.conf
+ expect=3
+fi
+$CHECKCONF $conf > checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
lines=$(wc -l < "checkconf.out$n")
-if [ $lines -ne 3 ]; then ret=1; fi
+if [ $lines -ne $expect ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
#include <stdbool.h>
#include <stdlib.h>
+#include <isc/fips.h>
#include <isc/mem.h>
#include <isc/region.h>
#include <isc/result.h>
goto cleanup;
}
+ if (isc_fips_mode() &&
+ (key->algorithm == DNS_KEYALG_RSASHA1 ||
+ key->algorithm == DNS_KEYALG_NSEC3RSASHA1))
+ {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "dnssec-policy: algorithm %s not supported "
+ "in FIPS mode",
+ alg.base);
+ result = DNS_R_BADALG;
+ goto cleanup;
+ }
+
obj = cfg_tuple_get(config, "length");
if (cfg_obj_isuint32(obj)) {
uint32_t min, size;
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
- min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+ if (isc_fips_mode()) {
+ min = 2048;
+ } else {
+ min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
+ }
if (size < min || size > 4096) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"dnssec-policy: key with "