X-Scanned-BY: MIMEDefang 2.68 on 10.5.11.24
CC: Tomas Hozza <thozza@redhat.com>, nmavrogi@redhat.com
MIME-Version: 1.0
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
Content-Type: text/plain; charset=utf-8
Message-ID: <54B3CFC4.50108@redhat.com>
Organization: Red Hat
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id 39CE02D2004F for <bind-suggest@bugs.isc.org>; Mon, 12 Jan 2015 13:44:42 +0000 (UTC)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.redhat.com", Issuer "DigiCert SHA2 Extended Validation Server CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id 3D0303493E7 for <bind-suggest@isc.org>; Mon, 12 Jan 2015 13:44:40 +0000 (UTC)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t0CDidl6031430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <bind-suggest@isc.org>; Mon, 12 Jan 2015 08:44:39 -0500
Received: from pspacek.brq.redhat.com (pspacek.brq.redhat.com [10.34.128.7]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t0CDiaKA026529 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 12 Jan 2015 08:44:38 -0500
Delivered-To: bind-suggest@bugs.isc.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
Subject: provide richer options for crypto configuration in BIND
Return-Path: <pspacek@redhat.com>
X-Original-To: bind-suggest@bugs.isc.org
Date: Mon, 12 Jan 2015 14:44:36 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
To: bind-suggest@isc.org
Content-Transfer-Encoding: 8bit
From: Petr Spacek <pspacek@redhat.com>
X-RT-Original-Encoding: utf-8
Content-Length: 998

Hello,

I would like to ask you for help with crypto consolidation project: Red Hat is
trying to consolidate crypto configuration on Linux systems to one place.

As you can see in https://bugzilla.redhat.com/show_bug.cgi?id=1179925, we have
tried to write a script which translates system-wide crypto policy into a
named.conf snippet (with the aim to forbid old/deprecated/insecure algorithms
and so on).

Unfortunately, it seems that BIND currently has very limited set of crypto
settings.

It would be really helpful if BIND could accept parameters like min-rsa-bits
and min-dh-bits (or at least specify the allowed DH groups). Also, there is no
way to specify algorithms and minimal accepted parameters/key sizes for HMAC
algorithms.

Maybe an option to specify algorithm white-lists instead of black-lists would
be nice way how to avoid surprises after upgrade.

What do you think about it? Would it be possible to implement something like that?

Have a nice day!

-- 
Petr Spacek  @  Red Hat