From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 24 Jul 2023 12:04:15 +0000 (+0200)
Subject: Change RSASHA256 key length to be FIPS compliant
X-Git-Tag: v9.19.16~25^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2c978017b35d12495f3f8eb27b6213bfb18a227e;p=thirdparty%2Fbind9.git

Change RSASHA256 key length to be FIPS compliant

After commit f4eb3ba4, that is part of removing 'auto-dnssec', the
inline system test started to fail in FIPS CI jobs. This is because
the 'nsec3-loop' zone started to use a RSASHA256 key size of 1024 and
this is not FIPS compliant.

This commit changes the key size from 1024 to 4096, in order to
become FIPS compliant again.
---

diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in
index 68ae04c209d..cd7e52ce138 100644
--- a/bin/tests/system/inline/ns7/named.conf.in
+++ b/bin/tests/system/inline/ns7/named.conf.in
@@ -53,7 +53,7 @@ dnssec-policy "nsec3" {
 	keys {
 		ksk key-directory lifetime unlimited algorithm RSASHA256 2048;
 		zsk key-directory lifetime unlimited algorithm RSASHA256 2048;
-		zsk key-directory lifetime unlimited algorithm RSASHA256 1024;
+		zsk key-directory lifetime unlimited algorithm RSASHA256 4096;
 	};
 
 	nsec3param iterations 0 optout no salt-length 0;
diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh
index d89c8a81a97..8479388fdf6 100755
--- a/bin/tests/system/inline/ns7/sign.sh
+++ b/bin/tests/system/inline/ns7/sign.sh
@@ -19,6 +19,6 @@
 zone=nsec3-loop
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 4096 -n zone $zone)
 keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
 keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone)