Hi, GOST has been deprecated for use in DNSSEC, and the actual standard actually says it MUST NOT be used for signing (and MAY be used for verification), see RFC 8624.
I think the best course of action here is to actually disable it everywhere where GOST R 34.10-2001 is used as it has been superseded by GOST R 34.10-2012 in [RFC7091]. If we get a bugreport about GOST being disabled, it should be rejected with the reference to RFC 8624. Cheers, Ondrej -- Ondřej Surý (He/Him) ond...@sury.org > On 26. 4. 2022, at 17:28, Michael Tokarev <m...@tls.msk.ru> wrote: > > Control: tag -1 + moreinfo > > On Tue, 9 May 2017 21:44:45 +0200 martin f krafft <madd...@debian.org> wrote: >> Package: ldnsutils >> Version: 1.7.0-1 >> Severity: normal >> When trying ti use ldns-key2ds with -g, I get an error about GOST >> not being available. >> % ldns-key2ds -g -n xxxxxxxxxxxx_combined.key >> error: libcrypto does not provide GOST >> Either the option should be disabled, or ldns-key2ds linked with >> a libcrypto that provides GOST. > > Well, GOST comes as an add-on to libcrypto. So if you install > such an add-on on your system, everything will work. If we > disable GOST for ldns, we'll got another bugreport, saying > GOST is not enabled even if ldns supports it. > > I think it's best to keep it the way it is now, how do you think? > > /mjt >
signature.asc
Description: Message signed with OpenPGP
