[Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage
Simon Kelley
simon at thekelleys.org.uk
Tue Apr 13 22:44:27 UTC 2021
On 10/04/2021 15:57, Vladislav Grishenko wrote:
> Hello,
>
>
>
> Recent nettle version detection changes in dnsmasq 2.85 have brought
> build regression with HAVE_CRYPTOHASH defined due no MIN_VERSION macro
> is defined.
That's not good. I committed a slightly more comprehensive clean up that
fixes this.
I also built myself a script which test compiles with lots of different
compile-time options, to try and avoid this in the future. I counted 20
different options, so all combinations at a million test combinations,
and not practical. I do at least check each one by itself, and
interacting combinations.
>
> Also, DNSSEC GOST validation is not consistent in case only hash but not
> signature functions are available.
>
This shouldn't be a problem, is both are not available, then the
signatures cannot be used.
> Please refer patch set attached.
>
>
>
> As for disabling GOST, what if disable it by default?
>
> Current implemented GOST algos are obsolete, newer ones didn’t pass
> certification as DNSSEC algo, so…
>
>
RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.
Simon.
>
> --
>
> Best Regards, Vladislav Grishenko
>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list