OpenSSL problem: bind98-base FreeBSD port
Mark Andrews
marka at isc.org
Mon Jul 9 00:56:51 UTC 2012
In message <4FFA2871.2020506 at dougbarton.us>, Doug Barton writes:
> On 07/08/2012 17:33, Matthew Pounsett wrote:
> >
> > On 2012/07/08, at 20:29, Matthew Pounsett wrote:
> >
> >>
> >> On 2012/07/08, at 20:26, Mark Andrews wrote:
> >>
> >>>
> >>> One can also build named w/o GOST support if one wants. We statically
> >>> link all the engines when building named on Windows.
> >>
> >> Unfortunately the port doesn't provide the config hooks to disable GOST support.
> >
> > Actually.. how do you go about doing that anyway? I was just taking a look at writing a patch for the port to allow GOST to
> be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers.
>
> I wouldn't accept it anyway. For better or worse, GOST is part of the
> protocol.
>
> Doug
GOST is not a manditory part of DNSSEC. It is entirely optional
whether a site supports it or not. If a site doesn't support GOST
then the zone is treated as insecure. It doesn't break anything
to disable GOST support. This is no worse that deciding whether
to link with OpenSSL or not.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list