Description of problem: - ECDSA is Eliptic Curve Digital Signature Algorythm. - ECDSA is supported DNSSEC (RFC 6605) - Both unbound and ldns support ECDSA - But in Fedora 20, unbound and ldns does not support ECDSA as compiled with --disable-ecdsa. Version-Release number of selected component (if applicable): - Fedora 20 How reproducible: - see spec file of unbound and ldns Steps to Reproduce: 1. grep ecdsa ldns.spec 2. grep ecdsa unbound.spec Actual results: $ grep ecdsa ldns.spec %configure --disable-rpath --disable-static --disable-gost --disable-ecdsa \ --disable-ecdsa \ --disable-ecdsa \ - Added --disable-ecdsa as ECC is still banned % grep ecdsa unbound.spec --enable-sha2 --disable-gost --disable-ecdsa \ Expected results: - not seen "--disable-ecdsa" in ldns.spec, unbound.spec - ECDSA test is passed Additional info: - Simillar bugs has solved also apache httpd, ssh, curl.
CloudFlare is planning to launch DNSSEC with ECDSA keys. RHEL/Fedora/CentOS provided Unbound will not be able to verify DNS replies for domains that CloudFlare is hosting if this issue is not resolved.
See also bug #1019390.
oops. it was only enabled for el6, not fedora branches. I will push out updates now. Note unbound no longer requires ldns (but ldns should also be fixed to enable support for it)
Both, unbound and ldns are compiled with ECDSA support in F21+