Skip to content

Requesting more explicit support for and demonstration of FIPS compliant crypto library [ISC-support #13613]

Description

Certain environments mandate the use of FIPS compliant TLS libraries for DNSSEC signing. At the moment restricting BIND to only build/run against FIPS compliant crypto libraries or demonstrating that a given instance is using a FIPS compliant library is rather implicit. This capability is often required to demonstrate compliance to auditors.

Request

I'd like to request more explicit handling of FIPS in BIND, for example:

  1. It would be nice to have a BIND runtime command tool that reported the capabilities of the currently used crypto library. Since libraries might be opened dynamically and system/environment variables can affect library behavior this would provide certainty for the user.
  2. It would be nice to have a compile and/or runtime method to restrict BIND to using only crypto libraries with certain characteristics e.g. FIPS compliance which are typically exposed via library APIs.

Links / references

Edited by Cathy Almond
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information