Bug 2079548

Summary: [unbound: FIPS mode] does not resolve ED25519 and ED448
Product: Red Hat Enterprise Linux 9 Reporter: Petr Menšík <pemensik>
Component: unboundAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: psklenar
Target Milestone: rcKeywords: Patch, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unbound-1.16.0-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 10:15:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2022-05-23   

Description Petr Menšík 2022-04-27 18:44:13 UTC 
Description of problem:
Similar to bug #2077889 for bind, unbound also does not pass validation of ED25519 and ED448 algorithms 

Version-Release number of selected component (if applicable):
unbound-1.13.1-13.el9_0.x86_64

How reproducible:
reliable

Steps to Reproduce:
1. fips-mode-setup --enable && reboot
2. unbound-host -rvD secure.d4a16n3.rootcanary.net.
3.

Actual results:
secure.d4a16n3.rootcanary.net. has address 145.97.20.20
validation failure <secure.d4a16n3.rootcanary.net. A IN>: use of key for crypto failed from 10.2.32.1 for key d4a16n3.rootcanary.net. while building chain of trust
secure.d4a16n3.rootcanary.net. has IPv6 address 2001:610:188:408::20
validation failure <secure.d4a16n3.rootcanary.net. AAAA IN>: key for validation d4a16n3.rootcanary.net. is marked as invalid because of a previous validation failure <secure.d4a16n3.rootcanary.net. A IN>: use of key for crypto failed from 10.2.32.1 for key d4a16n3.rootcanary.net. while building chain of trust
validation failure <secure.d4a16n3.rootcanary.net. MX IN>: key for validation d4a16n3.rootcanary.net. is marked as invalid because of a previous validation failure <secure.d4a16n3.rootcanary.net. A IN>: use of key for crypto failed from 10.2.32.1 for key d4a16n3.rootcanary.net. while building chain of trust


Expected results:
secure.d4a16n3.rootcanary.net. has address 145.97.20.20 (insecure)
secure.d4a16n3.rootcanary.net. has IPv6 address 2001:610:188:408::20 (insecure)
secure.d4a16n3.rootcanary.net. has no mail handler record (insecure)



Additional info:
This check might need eventually removed, once those algorithms are approved to FIPS.
Comment 6 Petr Menšík 2022-07-07 11:04:32 UTC 
Finally merged by upstream without modification.
Comment 7 Petr Menšík 2022-07-08 18:07:47 UTC 
Prepared pull request
Comment 17 errata-xmlrpc 2022-11-15 10:15:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: unbound security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8062