> On 28. 4. 2022, at 14:09, Michael Tokarev <m...@tls.msk.ru> wrote: > > 27.04.2022 12:08, Ondřej Surý wrote: >> Hi, >> GOST has been deprecated for use in DNSSEC, and the >> actual standard actually says it MUST NOT be used for >> signing (and MAY be used for verification), see RFC 8624. >> I think the best course of action here is to actually disable it >> everywhere where GOST R 34.10-2001 is used as it has >> been superseded by GOST R 34.10-2012 in [RFC7091]. > > I don't know which version(s) of GOST is enabled in ldns > when built with --enable-gost[-anyway]. Do you?
Yes, it’s the old one. The 2012 hasn’t been specified for use in DNSSEC - there was a draft, but it has expired. There’s an effort to add GOST-2012 to DNSSEC, but it’s still a draft: https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc5933-bis/ But that’s only tangential. The GOST-2001 needs to be eradicated from DNS. > Please note there are at least 4 symbols in the libldns3 > library which are gost-related: > > ldns_gost2pkey_raw@Base 1.7.1 > ldns_gost_engine@Base 1.7.1 > ldns_key_EVP_load_gost_id@Base 1.7.1 > ldns_key_EVP_unload_gost@Base 1.7.1 We can keep the symbols as dummy shims, so the package doesn’t have to bump SOVERSION. > I'm not sure here, but it looks like we'll have to > bump the library soname when removing these symbols. > > To me it looks like not worth the effort. Especially > since we "MAY" (as the RFC suggests) need it to verify > some old signatures anyway. There are no GOST signatures used in real world deployments, there’s no need to have validation enabled anywhere. Keeping obsoleted algorithm alive is not doing anybody any favor. Ondrej -- Ondřej Surý (He/Him) ond...@sury.org
signature.asc
Description: Message signed with OpenPGP
