|
|
|
Joined: 4/17/2010
Posts: 2
|
I was having an incredible struggle getting Simple DNS to work - immediately after lauching the program, I would get a message from windows saying it had "stopped working"
I finally narrowed the problem down to a certain Group Policy that was in place: a policy to force the use of FIPS complient hashing algorhithms was making it so that Simple DNS would not launch. Thanks a lot M$ for being REALLY descriptive with your errors!
Anyway, I would like to know if either the algorhithms being used could be made FIPS complient, or if there are any hacks available to get it working in such an environment?
|
|
|
 Joined: 1/14/2008 Posts: 325 Location: Frederikshavn, Denmark
|
Several key components of the DNS protocol, such a TSIG signatures, use the MD5 hash algorithm by default.
And the MD5 hash algorithm is not FIPS compliant.
This is why you get the error message if you computer is configure for FIPS.
The DNS protocol functions using MD5 are being deprecated in newer RFCs, but there is still a LOT of client software out there depending on this, and we expect there will be for many years to come.
Therefore we will not be able to remove the MD5 code any time soon.
So unfortunately no, it is not possible to work around this.
Note that while other DNS server software packages may not trigger the error, this doesn't mean that they are FIPS compliant. It just means that they don't use a standard library for MD5 calculation (which can be detected by Windows FIPS checks).
Sincerely,
Jesper
JH Software
|
|
|
|
Joined: 4/17/2010
Posts: 2
|
OK, thank you very much for the explanation - I understand the reasoning. I am guessing that you are using built-in algorithms for speed and possibly security, and I am not going to ask that you change that. However, would it be possible to have some sort of error code that is a little easier to understand? It took me quite a while to figure out the problem here.
|
|
|
Joined: 1/14/2008 Posts: 325 Location: Frederikshavn, Denmark
|
Quote:I am guessing that you are using built-in algorithms for speed and possibly security Well - mostly because there is no reason to re-implement something that is already provided by the operating system. Implementing our own might bypass FIPS detection, but it wouldn't make it any better - nor FIPS compliant. Quote:would it be possible to have some sort of error code that is a little easier to understand? As far as I recall, this is some type of Windows system error that happens before our code is even run (when you have a Windows policy or A.D. for FIPS), and therefore we cannot affect look of this. But we'll certainly have another look at this and see if there is anything we can do. Sincerely, Jesper JH Software
|
|
|
|
Guest
|
