Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1064149 - unbound and ldns are disabled ECDSA support for DNSSEC
Summary: unbound and ldns are disabled ECDSA support for DNSSEC
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: unbound
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: ecc
TreeView+ depends on / blocked
 
Reported: 2014-02-12 06:09 UTC by sshida
Modified: 2015-04-08 12:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-08 12:53:41 UTC


Attachments (Terms of Use)

Description sshida 2014-02-12 06:09:55 UTC
Description of problem:
- ECDSA is Eliptic Curve Digital Signature Algorythm.
- ECDSA is supported DNSSEC (RFC 6605)
- Both unbound and ldns support ECDSA
- But in Fedora 20, unbound and ldns does not support ECDSA 
  as compiled with --disable-ecdsa.

Version-Release number of selected component (if applicable):
- Fedora 20

How reproducible:
- see spec file of unbound and ldns

Steps to Reproduce:
1. grep ecdsa ldns.spec
2. grep ecdsa unbound.spec

Actual results:
$ grep ecdsa ldns.spec
%configure --disable-rpath --disable-static --disable-gost --disable-ecdsa \
   --disable-ecdsa \
   --disable-ecdsa \
- Added --disable-ecdsa as ECC is still banned

% grep ecdsa unbound.spec
            --enable-sha2 --disable-gost --disable-ecdsa \

Expected results:
- not seen "--disable-ecdsa" in ldns.spec, unbound.spec
- ECDSA test is passed

Additional info:
- Simillar bugs has solved also apache httpd, ssh, curl.

Comment 1 Ilari Stenroth 2015-01-31 22:07:40 UTC
CloudFlare is planning to launch DNSSEC with ECDSA keys. RHEL/Fedora/CentOS provided Unbound will not be able to verify DNS replies for domains that CloudFlare is hosting if this issue is not resolved.

Comment 2 Ilari Stenroth 2015-01-31 22:18:03 UTC
See also bug #1019390.

Comment 3 Paul Wouters 2015-02-02 15:33:40 UTC
oops. it was only enabled for el6, not fedora branches. I will push out updates now.

Note unbound no longer requires ldns (but ldns should also be fixed to enable support for it)

Comment 4 Tomáš Hozza 🤓 2015-04-08 12:53:41 UTC
Both, unbound and ldns are compiled with ECDSA support in F21+


Note You need to log in before you can comment on or make changes to this bug.