On Thu, 26 Jul 2012, W.C.A. Wijngaards wrote:
Unbound 1.4.18rc1 is available for download:
This release has bugfixes, notably two assertion failures.
Seems to package fine and work.
There is some support for FIPS-compliant mode, where it will understand that some algorithms are not available, those DNSSEC results are then marked 'insecure' (and not 'bogus').
Note I've encountered resolving issues with this, but have not had time to track these down further. Don't do this yet in production. If you want to test fips mode, simply run (as root) prelink -ua then you can flip FIPS mode using these simply scripts, without actually having to boot the system in real fips mode: cat /usr/local/sbin/fipson #!/bin/sh sudo umount /proc/sys/crypto/fips_enabled >/dev/null 2> /dev/null echo "1" > /tmp/fips_enabled sudo mount --bind /tmp/fips_enabled /proc/sys/crypto/fips_enabled cat /usr/local/sbin/fipsoff #!/bin/sh sudo umount /proc/sys/crypto/fips_enabled > /dev/null 2>/dev/null echo "0" > /tmp/fips_enabled sudo mount --bind /tmp/fips_enabled /proc/sys/crypto/fips_enabled If you're going to span testing over days, remove the unlink package. At least on Fedora/RHEL, there is a daily cronjob that will run prelink, resulting in openssl and nss libraries failing the FIPS internal self test. Paul _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
