Change RSASHA256 key length to be FIPS compliant

After commit f4eb3ba4, that is part of removing 'auto-dnssec', the
inline system test started to fail in FIPS CI jobs. This is because
the 'nsec3-loop' zone started to use a RSASHA256 key size of 1024 and
this is not FIPS compliant.

This commit changes the key size from 1024 to 4096, in order to
become FIPS compliant again.

diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in
index 68ae04c209da04cb03f15a66e47f2b27a8005aaa..cd7e52ce1383664c925e5743a991caf29dfd18d5 100644 (file)
--- a/bin/tests/system/inline/ns7/named.conf.in
+++ b/bin/tests/system/inline/ns7/named.conf.in
@@ -53,7 +53,7 @@ dnssec-policy "nsec3" {
        keys {
                ksk key-directory lifetime unlimited algorithm RSASHA256 2048;
                zsk key-directory lifetime unlimited algorithm RSASHA256 2048;
-               zsk key-directory lifetime unlimited algorithm RSASHA256 1024;
+               zsk key-directory lifetime unlimited algorithm RSASHA256 4096;
        };
 
        nsec3param iterations 0 optout no salt-length 0;

diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh
index d89c8a81a978e15716751ff14e3ca89085307fb8..8479388fdf66a38eedfa2ae2e79068d023bd7ac1 100755 (executable)
--- a/bin/tests/system/inline/ns7/sign.sh
+++ b/bin/tests/system/inline/ns7/sign.sh
@@ -19,6 +19,6 @@
 zone=nsec3-loop
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 4096 -n zone $zone)
 keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
 keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone)