[Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?

Simon Kelley simon at thekelleys.org.uk
Wed Mar 26 20:31:28 UTC 2014 

On 26/03/14 09:16, Olaf Westrik wrote:
> On 2014-03-25 23:22, Lonnie Abelbeck wrote:
>>
>> On Mar 25, 2014, at 4:52 PM, Simon Kelley wrote:
>>>
>>> Do you want openSSL instead of Nettle? If so, why?
>>>
>>> Cheers,
>>>
>>> Simon.
>>
>> I would prefer OpenSSL support.
>>
>> As a developer for a cross-compiled x86 open source project (AstLinux)
>> building and maintaining additional libraries (particularly crypto) is
>> not ideal when so many packages already require OpenSSL.
>>
>> We also try to keep the "bloat" out as much as possible, our
>> compressed images are around 40 MB in size.
>>
>> Your excellent dnsmasq is one of our core packages, it would be our
>> preference if it also supported the time tested OpenSSL shared libraries.
>>
>> Obviously using Nettle is not a deal breaker, but I think OpenSSL vs.
>> Nettle is a good discussion to have.
> 
> 
> I happen to be in a similar position as Lonnie.
> Since we use packages that use OpenSSL (Apache, OpenVPN, wget, Perl
> SSLeay), we already ship the openssl libraries and not nettle.
> 
> Surely the addition of nettle, statically linked if need be, is not
> something that will double the size of our image. I am more concerned
> with the addition of yet another software package that needs to be
> monitored.
> 
> 
> If the license issue can be solved, would it be an option to use either
> nettle or openssl depending on something like make -DUSE_NETTLE or make
> -DUSE_OPENSSL?
> 

It's something I'd consider for a future release, but 2.69 needs to Out
There soon, and that will certainly be Nettle only. As far as I'm
concerned that's good, since if people want DNSSEC, they'll have to
provide Nettle (statically linked, if preferred). We can take some time
to see if openSSL can be made an alternative, but the nettle will have
to be grasped fro 2.69. (Bad pun, sorry!)

The licensing problem is real. I'm not the only copyright holder in
dnsmasq, so even if I'm convinced, I'd need to try and identify and
contact the other interested parties to modify the license.



Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list