On Tue, 24 Mar 2015 23:11:51 +0100 Cyril Brulebois <k...@debian.org> wrote:
> > > 3. Yet another way might be to teach unbound to support GnuTLS in > > > addition to OpenSSL and NSS, so that one can build a GnuTLS variant > > > instead of an NSS one. > > option 3 would require probably using nettle as well as gnutls (for the > > dnssec client verification) -- i'm not sure what sort of twisty maze of > > dependencies or build-dependencies this creates, though :) > > Oh, nettle is an old friend (we use it as a sha1 implementation in > xserver-xorg-core-udeb). > > libunbound should only depend on libssl for the purposes of outbound > > DNS-over-TLS-over-TCP connections, right? the DNSSEC verification work > > only needs to use libcrypto (or nettle, if we were to port it, which > > would avoid the circularity). > > I really don't know. You can pretend somebody jumped on me asking > whether I was part of Debian and mentioned this issue that has been > tagged wontfix. That wouldn't be very far from what happened. ;) > > I can add nettlifying unbound to my ever growing to-do list, and see > what codepaths are involved there. Maybe someone even did that work > upstream already, I didn't check yet. I went ahead and coded the "nettlify libunbound" part, which is basically option 3 proposed above. I run this through upstream and they merged it today: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=594 This changes only touch libunbound (and the testcases) to build with nettle, while the rest of unbound still needs openssl or NSS (mostly for TLS). Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer
signature.asc
Description: This is a digitally signed message part.
