Maintained by: NLnet Labs

[Unbound-users] Unbound 1.4.7 release

lst_hoe02 at kwsoft.de
Tue Nov 9 21:08:22 CET 2010


Zitat von Paul Wouters <paul at xelerance.com>:

> On Tue, 9 Nov 2010, lst_hoe02 at kwsoft.de wrote:
>
>> Is GOST a supported cipher for DNSSEC or will it be some time in the future?
>
> It's fully suported in the RFC's includig its algorithm number.

I guess a validating resolver is supposed to treat results as  
unsigned/unsecure if it find a algorithm it can not process?

>> As far as i can see it is only available in openssl 1.x or newer  
>> and for the next few years this will probably not be the standard  
>> on Unix. So most of us have to use "--disable-gost" anyway...
>
> I have not yet packaged things up, but I assume there is detection  
> in ./configure
> for this.

Yes that's how i noticed..

> Red Hat strips out all ECC related routines in openssl, so even on  
> rhel/centos 6
> there will be no gost if using the stock openssl package. I'm  
> looking at seeing
> if it is possible to add a sub package (openssl-gost) that just has the gost
> engine, but that will require some time to see how compatible that  
> is with the
> "stripping" used in Red Hat.

That's why software patents are bad as hell....

Regards

Andreas