Bug 1064149 - unbound and ldns are disabled ECDSA support for DNSSEC
Summary: unbound and ldns are disabled ECDSA support for DNSSEC
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ecc
TreeView+ depends on / blocked
 
Reported: 2014-02-12 06:09 UTC by sshida
Modified: 2015-04-08 12:53 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-04-08 12:53:41 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description sshida 2014-02-12 06:09:55 UTC
Description of problem:
- ECDSA is Eliptic Curve Digital Signature Algorythm.
- ECDSA is supported DNSSEC (RFC 6605)
- Both unbound and ldns support ECDSA
- But in Fedora 20, unbound and ldns does not support ECDSA 
  as compiled with --disable-ecdsa.

Version-Release number of selected component (if applicable):
- Fedora 20

How reproducible:
- see spec file of unbound and ldns

Steps to Reproduce:
1. grep ecdsa ldns.spec
2. grep ecdsa unbound.spec

Actual results:
$ grep ecdsa ldns.spec
%configure --disable-rpath --disable-static --disable-gost --disable-ecdsa \
   --disable-ecdsa \
   --disable-ecdsa \
- Added --disable-ecdsa as ECC is still banned

% grep ecdsa unbound.spec
            --enable-sha2 --disable-gost --disable-ecdsa \

Expected results:
- not seen "--disable-ecdsa" in ldns.spec, unbound.spec
- ECDSA test is passed

Additional info:
- Simillar bugs has solved also apache httpd, ssh, curl.

Comment 1 Ilari Stenroth 2015-01-31 22:07:40 UTC
CloudFlare is planning to launch DNSSEC with ECDSA keys. RHEL/Fedora/CentOS provided Unbound will not be able to verify DNS replies for domains that CloudFlare is hosting if this issue is not resolved.

Comment 2 Ilari Stenroth 2015-01-31 22:18:03 UTC
See also bug #1019390.

Comment 3 Paul Wouters 2015-02-02 15:33:40 UTC
oops. it was only enabled for el6, not fedora branches. I will push out updates now.

Note unbound no longer requires ldns (but ldns should also be fixed to enable support for it)

Comment 4 Tomáš Hozza 2015-04-08 12:53:41 UTC
Both, unbound and ldns are compiled with ECDSA support in F21+


Note You need to log in before you can comment on or make changes to this bug.