[Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

Simon Kelley simon at thekelleys.org.uk
Tue Mar 25 22:39:14 UTC 2014


On 25/03/14 22:22, Lonnie Abelbeck wrote:
> 
> On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote:
> 
>> On 25/03/14 21:25, Lonnie Abelbeck wrote:
>>> 
>>> 
>>> Is the decision to not support OpenSSL shared libraries a final
>>> decision, or is there a chance you may reconsider ?
>>> 
>> 
>> The very early DNSSEC code used openSSL, so it's possible. The
>> reason for the change (in no particular order) was 1) the API is
>> much nicer. 2) licensing considerations.
>> 
>> I evaluated several possible libraries before choosing Nettle.
>> 
>> One of the worries was bloat, especially in openWRT and similar
>> router distributions. The conclusion was that those typically don't
>> include openSSL anyway, they use things like dropbear, which has
>> it's own crypto.
>> 
>> Note that whilst the a full shared installation of nettle and gmp
>> is large, the dnsmasq build system allows static linking, which
>> means that you get the small portion of the libraries which is
>> needed by dnsmasq, not the whole thing. When I last checked,
>> dnsmasq compiled with DNSSEC support and statically linked against
>> Nettle and stripped was 200k or so. That needs no extra disk space
>> for crypto libraries at all.  200k + libc gives you everything.
>> 
>> 
>> Conclusions from this:
>> 
>> 1) It would be possible to use openSSL instead of Nettle. 2) To do
>> so, you'd have to convince me (and other copyright holders) to add
>> an openSSL exception to the dnsmasq license. I have a built-in
>> bias for GPL-licensed software. 3) There are no real resource
>> arguments for using openSSL instead of Nettle.
>> 
>> Do you want openSSL instead of Nettle? If so, why?
>> 
>> Cheers,
>> 
>> Simon.
> 
> I would prefer OpenSSL support.
> 
> As a developer for a cross-compiled x86 open source project
> (AstLinux) building and maintaining additional libraries
> (particularly crypto) is not ideal when so many packages already
> require OpenSSL.
> 
> We also try to keep the "bloat" out as much as possible, our
> compressed images are around 40 MB in size.
> 
> Your excellent dnsmasq is one of our core packages, it would be our
> preference if it also supported the time tested OpenSSL shared
> libraries.
> 
> Obviously using Nettle is not a deal breaker, but I think OpenSSL vs.
> Nettle is a good discussion to have.

Indeed, I'm interested to hear opinions.

In the meantime, if you build dnsmasq with

make COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' then the crypto libaries
will be statically linked, and you don't need to dedicate space to a
shared installation of nettle and gmp which isn't actually used by
anything else.


Cheers,

Simon.




> 
> Thanks, Lonnie
> 
> 




More information about the Dnsmasq-discuss mailing list