[Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

sven falempin sven.falempin at gmail.com
Tue Mar 25 23:03:09 UTC 2014


On Tue, Mar 25, 2014 at 6:39 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 25/03/14 22:22, Lonnie Abelbeck wrote:
>>
>> On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote:
>>
>>> On 25/03/14 21:25, Lonnie Abelbeck wrote:
>>>>
>>>>
>>>> Is the decision to not support OpenSSL shared libraries a final
>>>> decision, or is there a chance you may reconsider ?
>>>>
>>>
>>> The very early DNSSEC code used openSSL, so it's possible. The
>>> reason for the change (in no particular order) was 1) the API is
>>> much nicer. 2) licensing considerations.
>>>
>>> I evaluated several possible libraries before choosing Nettle.
>>>
>>> One of the worries was bloat, especially in openWRT and similar
>>> router distributions. The conclusion was that those typically don't
>>> include openSSL anyway, they use things like dropbear, which has
>>> it's own crypto.
>>>
>>> Note that whilst the a full shared installation of nettle and gmp
>>> is large, the dnsmasq build system allows static linking, which
>>> means that you get the small portion of the libraries which is
>>> needed by dnsmasq, not the whole thing. When I last checked,
>>> dnsmasq compiled with DNSSEC support and statically linked against
>>> Nettle and stripped was 200k or so. That needs no extra disk space
>>> for crypto libraries at all.  200k + libc gives you everything.
>>>
>>>
>>> Conclusions from this:
>>>
>>> 1) It would be possible to use openSSL instead of Nettle. 2) To do
>>> so, you'd have to convince me (and other copyright holders) to add
>>> an openSSL exception to the dnsmasq license. I have a built-in
>>> bias for GPL-licensed software. 3) There are no real resource
>>> arguments for using openSSL instead of Nettle.
>>>
>>> Do you want openSSL instead of Nettle? If so, why?
>>>
>>> Cheers,
>>>
>>> Simon.
>>
>> I would prefer OpenSSL support.
>>
>> As a developer for a cross-compiled x86 open source project
>> (AstLinux) building and maintaining additional libraries
>> (particularly crypto) is not ideal when so many packages already
>> require OpenSSL.
>>
>> We also try to keep the "bloat" out as much as possible, our
>> compressed images are around 40 MB in size.
>>
>> Your excellent dnsmasq is one of our core packages, it would be our
>> preference if it also supported the time tested OpenSSL shared
>> libraries.
>>
>> Obviously using Nettle is not a deal breaker, but I think OpenSSL vs.
>> Nettle is a good discussion to have.
>
> Indeed, I'm interested to hear opinions.
>
> In the meantime, if you build dnsmasq with
>
> make COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' then the crypto libaries
> will be statically linked, and you don't need to dedicate space to a
> shared installation of nettle and gmp which isn't actually used by
> anything else.
>
>
> Cheers,
>
> Simon.
>
>
>
>
>>
>> Thanks, Lonnie

my concern of nettle vs openssl is the amount of review and testing
nettle did get compared to something more widely(!) used


-- 
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\



More information about the Dnsmasq-discuss mailing list