[Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

Simon Kelley simon at thekelleys.org.uk
Tue Apr 13 22:44:27 UTC 2021


On 10/04/2021 15:57, Vladislav Grishenko wrote:
> Hello,
> 
>  
> 
> Recent nettle version detection changes in dnsmasq 2.85 have brought
> build regression with HAVE_CRYPTOHASH defined due no MIN_VERSION macro
> is defined.

That's not good. I committed a slightly more comprehensive clean up that
fixes this.

I also built myself a script which test compiles with lots of different
compile-time options, to try and avoid this in the future. I counted 20
different options, so all combinations at a million test combinations,
and not practical. I do at least check each one by itself, and
interacting combinations.
> 
> Also, DNSSEC GOST validation is not consistent in case only hash but not
> signature functions are available.
> 

This shouldn't be a problem, is both are not available, then the
signatures cannot be used.

> Please refer patch set attached.
> 
>  
> 
> As for disabling GOST, what if disable it by default?
> 
> Current implemented GOST algos are obsolete, newer ones didn’t pass
> certification as DNSSEC algo, so…
> 
>  


RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.


Simon.


> 
> --
> 
> Best Regards, Vladislav Grishenko
> 
>  
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list