[Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Mar 25 22:22:03 UTC 2014

On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote:

> On 25/03/14 21:25, Lonnie Abelbeck wrote:
>> Is the decision to not support OpenSSL shared libraries a final decision, or is there a chance you may reconsider ?
> The very early DNSSEC code used openSSL, so it's possible. The reason
> for the change (in no particular order) was 1) the API is much nicer. 2)
> licensing considerations.
> I evaluated several possible libraries before choosing Nettle.
> One of the worries was bloat, especially in openWRT and similar router
> distributions. The conclusion was that those typically don't include
> openSSL anyway, they use things like dropbear, which has it's own crypto.
> Note that whilst the a full shared installation of nettle and gmp is
> large, the dnsmasq build system allows static linking, which means that
> you get the small portion of the libraries which is needed by dnsmasq,
> not the whole thing. When I last checked, dnsmasq compiled with DNSSEC
> support and statically linked against Nettle and stripped was 200k or
> so. That needs no extra disk space for crypto libraries at all.  200k +
> libc gives you everything.
> Conclusions from this:
> 1) It would be possible to use openSSL instead of Nettle.
> 2) To do so, you'd have to convince me (and other copyright holders) to
> add an openSSL exception to the dnsmasq license. I have a built-in bias
> for GPL-licensed software.
> 3) There are no real resource arguments for using openSSL instead of Nettle.
> Do you want openSSL instead of Nettle? If so, why?
> Cheers,
> Simon.

I would prefer OpenSSL support.

As a developer for a cross-compiled x86 open source project (AstLinux) building and maintaining additional libraries (particularly crypto) is not ideal when so many packages already require OpenSSL.

We also try to keep the "bloat" out as much as possible, our compressed images are around 40 MB in size.

Your excellent dnsmasq is one of our core packages, it would be our preference if it also supported the time tested OpenSSL shared libraries.

Obviously using Nettle is not a deal breaker, but I think OpenSSL vs. Nettle is a good discussion to have.


More information about the Dnsmasq-discuss mailing list