From 2c978017b35d12495f3f8eb27b6213bfb18a227e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 24 Jul 2023 14:04:15 +0200 Subject: [PATCH] Change RSASHA256 key length to be FIPS compliant After commit f4eb3ba4, that is part of removing 'auto-dnssec', the inline system test started to fail in FIPS CI jobs. This is because the 'nsec3-loop' zone started to use a RSASHA256 key size of 1024 and this is not FIPS compliant. This commit changes the key size from 1024 to 4096, in order to become FIPS compliant again. --- bin/tests/system/inline/ns7/named.conf.in | 2 +- bin/tests/system/inline/ns7/sign.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/inline/ns7/named.conf.in b/bin/tests/system/inline/ns7/named.conf.in index 68ae04c209..cd7e52ce13 100644 --- a/bin/tests/system/inline/ns7/named.conf.in +++ b/bin/tests/system/inline/ns7/named.conf.in @@ -53,7 +53,7 @@ dnssec-policy "nsec3" { keys { ksk key-directory lifetime unlimited algorithm RSASHA256 2048; zsk key-directory lifetime unlimited algorithm RSASHA256 2048; - zsk key-directory lifetime unlimited algorithm RSASHA256 1024; + zsk key-directory lifetime unlimited algorithm RSASHA256 4096; }; nsec3param iterations 0 optout no salt-length 0; diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh index d89c8a81a9..8479388fdf 100755 --- a/bin/tests/system/inline/ns7/sign.sh +++ b/bin/tests/system/inline/ns7/sign.sh @@ -19,6 +19,6 @@ zone=nsec3-loop rm -f K${zone}.+*+*.key rm -f K${zone}.+*+*.private -keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone) +keyname=$($KEYGEN -q -a RSASHA256 -b 4096 -n zone $zone) keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone) keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone)