[Unbound-users] unbound 1.4.18rc1 maintainers prerelease

Paul Wouters paul at nohats.ca
Thu Jul 26 19:23:47 UTC 2012


On Thu, 26 Jul 2012, W.C.A. Wijngaards wrote:

> Unbound 1.4.18rc1 is available for download:

> This release has bugfixes, notably two assertion failures.

Seems to package fine and work.

> There is some support for FIPS-compliant mode, where it will
> understand that some algorithms are not available, those DNSSEC
> results are then marked 'insecure' (and not 'bogus').

Note I've encountered resolving issues with this, but have not had
time to track these down further. Don't do this yet in production.
If you want to test fips mode, simply run (as root)

prelink -ua

then you can flip FIPS mode using these simply scripts, without
actually having to boot the system in real fips mode:

cat /usr/local/sbin/fipson
#!/bin/sh

sudo umount /proc/sys/crypto/fips_enabled >/dev/null 2> /dev/null
echo "1" > /tmp/fips_enabled
sudo mount --bind /tmp/fips_enabled /proc/sys/crypto/fips_enabled

cat /usr/local/sbin/fipsoff
#!/bin/sh

sudo umount /proc/sys/crypto/fips_enabled > /dev/null 2>/dev/null
echo "0" > /tmp/fips_enabled
sudo mount --bind /tmp/fips_enabled /proc/sys/crypto/fips_enabled

If you're going to span testing over days, remove the unlink package.
At least on Fedora/RHEL, there is a daily cronjob that will run prelink,
resulting in openssl and nss libraries failing the FIPS internal self
test.

Paul



More information about the Unbound-users mailing list