1064149 – unbound and ldns are disabled ECDSA support for DNSSEC

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1064149 - unbound and ldns are disabled ECDSA support for DNSSEC

Summary: unbound and ldns are disabled ECDSA support for DNSSEC

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	unbound
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Paul Wouters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	ecc
TreeView+	depends on / blocked

Reported:	2014-02-12 06:09 UTC by sshida
Modified:	2015-04-08 12:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-04-08 12:53:41 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description sshida 2014-02-12 06:09:55 UTC

Description of problem:
- ECDSA is Eliptic Curve Digital Signature Algorythm.
- ECDSA is supported DNSSEC (RFC 6605)
- Both unbound and ldns support ECDSA
- But in Fedora 20, unbound and ldns does not support ECDSA 
  as compiled with --disable-ecdsa.

Version-Release number of selected component (if applicable):
- Fedora 20

How reproducible:
- see spec file of unbound and ldns

Steps to Reproduce:
1. grep ecdsa ldns.spec
2. grep ecdsa unbound.spec

Actual results:
$ grep ecdsa ldns.spec
%configure --disable-rpath --disable-static --disable-gost --disable-ecdsa \
   --disable-ecdsa \
   --disable-ecdsa \
- Added --disable-ecdsa as ECC is still banned

% grep ecdsa unbound.spec
            --enable-sha2 --disable-gost --disable-ecdsa \

Expected results:
- not seen "--disable-ecdsa" in ldns.spec, unbound.spec
- ECDSA test is passed

Additional info:
- Simillar bugs has solved also apache httpd, ssh, curl.

Comment 1 Ilari Stenroth 2015-01-31 22:07:40 UTC

CloudFlare is planning to launch DNSSEC with ECDSA keys. RHEL/Fedora/CentOS provided Unbound will not be able to verify DNS replies for domains that CloudFlare is hosting if this issue is not resolved.

Comment 2 Ilari Stenroth 2015-01-31 22:18:03 UTC

See also bug #1019390.

Comment 3 Paul Wouters 2015-02-02 15:33:40 UTC

oops. it was only enabled for el6, not fedora branches. I will push out updates now.

Note unbound no longer requires ldns (but ldns should also be fixed to enable support for it)

Comment 4 Tomáš Hozza 2015-04-08 12:53:41 UTC

Both, unbound and ldns are compiled with ECDSA support in F21+

Note You need to log in before you can comment on or make changes to this bug.