dig sigfail.verteiltesysteme.net returns NOERROR

[Nyurael]

Hi @MatthewVance ,

I have been using your image for a while and it works great. Recently, however, I noticed that suddenly "dig sigfail.verteiltesysteme.net" returns NOERROR. I'm not sure since when and I can't get a handle on it. Unfortunately, reinstalling the image didn't help either. Do you have any ideas? I can imagine that the problem occurred after a "sudo apt update && sudo apt full-upgrade" and I hadn't noticed it at first.

Kind regards Nyu

[MatthewVance]

Hi @Nyurael , thanks for reporting this. There's recently been a lot of research and investigation of this over in the non Pi version of my image (see https://github.com/MatthewVance/unbound-docker/issues/93). The reason is 1.13.2 and 1.14.0 were built with the --with-deprecate-rsa-1024 option.

Per the release notes: "It is possible to configure unbound with --with-deprecate-rsa-1024, that stops the use of RSA 1024 keys. That makes unbound work with certain FIPS installations that do not allow such calls to the crypto API. If the option is enabled, Unbound treats RSA keys with an insufficiently sized key as not supported. Responses with unsupported crypto are marked insecure."

The ideal fix would be for sigfail.verteiltesysteme.net to update to a stronger crypto algorithm, but I imagine that's unlikely to happen soon. It is safe to assume it's not the only domain that has this issue.

[Nyurael]

@MatthewVance Thx alot for the information. I went crazy for 3 days and tried around A LOT, since im totally new to the whole topic ;)

Is it possible to release a new image with an environment parameter to en/disable "with-deprecate-rsa-1024" ?

[kjw1985]

@Nyurael It is not possible (at the moment) to use it as an environment variable as it is a compile flag. You can (for the moment) build your own image by removing the compile flag in the Dockerfile.

[MatthewVance]

For now, I released a change (https://github.com/MatthewVance/unbound-docker-rpi/commit/78954a7d2bef5e16268855f6611a0addbe2e16ce) for 1.14.0 latest tag that removes that compile time option.

Long-term, I like the idea of releasing a version with and without the with-deprecate-rsa-1024 option. I'll need to spend some time documenting and explaining the nuances if I do that.