Requesting more explicit support for and demonstration of FIPS compliant crypto library [ISC-support #13613]
Certain environments mandate the use of FIPS compliant TLS libraries for DNSSEC signing. At the moment restricting BIND to only build/run against FIPS compliant crypto libraries or demonstrating that a given instance is using a FIPS compliant library is rather implicit. This capability is often required to demonstrate compliance to auditors.
I'd like to request more explicit handling of FIPS in BIND, for example:
- It would be nice to have a BIND runtime command tool that reported the capabilities of the currently used crypto library. Since libraries might be opened dynamically and system/environment variables can affect library behavior this would provide certainty for the user.
- It would be nice to have a compile and/or runtime method to restrict BIND to using only crypto libraries with certain characteristics e.g. FIPS compliance which are typically exposed via library APIs.