[Dnsmasq-discuss] [PATCH] Make ECC-GOST optional only
Geert Stappers
stappers at stappers.nl
Sun Nov 13 13:44:27 UTC 2022
On Thu, Nov 10, 2022 at 06:02:44PM +0100, Petr Menšík wrote:
> Hi!
>
> I were testing my builds on rootcanary.org test, where dnsmasq is the only
> one failing with DNSSEC validation enabled. I am not sure why, I think gost
> crypto algorithm might be broken intentionally on Fedora or RHEL for legal
> reason. But I have tested it on Debian unstable and the result were same. It
> passes other algorithms, but fails on this one.
>
> I have therefore made it possible to skip GOST support. In addition it makes
> that default as well. Is there any distribution, which has GOST support
> working? Is it possible that rootcanary.org has wrong signatures?
>
> All other implementations return already insecure status - not implemented
> algorithm. This change makes the same for dnsmasq.
>
....
> --- a/src/config.h
> +++ b/src/config.h
> @@ -198,6 +201,8 @@ RESOLVFILE
> /* #define HAVE_CONNTRACK */
> /* #define HAVE_CRYPTOHASH */
> /* #define HAVE_DNSSEC */
> +/* #define HAVE_GOST */
> +/* #define HAVE_GOST */
> /* #define HAVE_NFTSET */
>
> /* Default locations for important system files. */
Why twice the '/* #define HAVE_GOST */' line?
Groeten
Geert Stappers
--
Silence is hard to parse
More information about the Dnsmasq-discuss
mailing list