[Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

Simon Kelley simon at thekelleys.org.uk
Tue Mar 25 21:52:02 UTC 2014

On 25/03/14 21:25, Lonnie Abelbeck wrote:
> Is the decision to not support OpenSSL shared libraries a final decision, or is there a chance you may reconsider ?

The very early DNSSEC code used openSSL, so it's possible. The reason
for the change (in no particular order) was 1) the API is much nicer. 2)
licensing considerations.

I evaluated several possible libraries before choosing Nettle.

One of the worries was bloat, especially in openWRT and similar router
distributions. The conclusion was that those typically don't include
openSSL anyway, they use things like dropbear, which has it's own crypto.

Note that whilst the a full shared installation of nettle and gmp is
large, the dnsmasq build system allows static linking, which means that
you get the small portion of the libraries which is needed by dnsmasq,
not the whole thing. When I last checked, dnsmasq compiled with DNSSEC
support and statically linked against Nettle and stripped was 200k or
so. That needs no extra disk space for crypto libraries at all.  200k +
libc gives you everything.

Conclusions from this:

1) It would be possible to use openSSL instead of Nettle.
2) To do so, you'd have to convince me (and other copyright holders) to
add an openSSL exception to the dnsmasq license. I have a built-in bias
for GPL-licensed software.
3) There are no real resource arguments for using openSSL instead of Nettle.

Do you want openSSL instead of Nettle? If so, why?



More information about the Dnsmasq-discuss mailing list