Discussion:
about the effect of installing with "--without-openssl"
takahiro
2018-08-25 13:58:50 UTC
Permalink
I would like someone to help me.

I don't use DNSSEC, so I think I'm trying not to use OpenSSL.

If when I install BIND9.11.4 with "./configure --without-openssl",
what kind of functions can no be used other than DNSSEC?
and are there risks if openssl is not used in BIND?

I tried finding out the answers , but I didn't found them.

best regards,

Takahiro



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Anand Buddhdev
2018-08-25 14:07:47 UTC
Permalink
On 25/08/2018 15:58, takahiro wrote:

Hi Takahiro,
Post by takahiro
I would like someone to help me.
I don't use DNSSEC, so I think I'm trying not to use OpenSSL.
If when I install BIND9.11.4 with "./configure --without-openssl",
what kind of functions can no be used other than DNSSEC?
and are there risks if openssl is not used in BIND?
There are other features in BIND, such as TSIG keys, that require
cryptographic functions, so you still need openssl.

Compiling without openssl is a bad idea. Don't do it.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
takahiro
2018-08-25 15:27:56 UTC
Permalink
Hi Annand

I appreciate your quick reply.
Post by Anand Buddhdev
There are other features in BIND, such as TSIG keys, that require
cryptographic functions, so you still need openssl.
Now I don't use TSIG keys.
Maybe rndc ,too?
(When I found out the word "cryptographic", rndc was displayed.)
Post by Anand Buddhdev
Compiling without openssl is a bad idea. Don't do it.
I was surprised!
I thought it's a good idea to invalidate unnecessary functions.
Could you tell me the reason?
I can't fully understand the function of BIND.

Thank you.




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Anand Buddhdev
2018-08-25 16:44:01 UTC
Permalink
On 25/08/2018 17:27, takahiro wrote:

Hi Takahiro,
Post by takahiro
Post by Anand Buddhdev
There are other features in BIND, such as TSIG keys, that require
cryptographic functions, so you still need openssl.
Now I don't use TSIG keys.
Maybe rndc ,too?
(When I found out the word "cryptographic", rndc was displayed.)
Post by Anand Buddhdev
Compiling without openssl is a bad idea. Don't do it.
I was surprised!
I thought it's a good idea to invalidate unnecessary functions.
Could you tell me the reason?
I can't fully understand the function of BIND.
TSIG isn't the only thing that needs cryptographic functions. BIND also
had support for DNS COOKIES (RFC 7873), which also need openssl. I would
say openssl is not optional, so just don't compile without it.

I don't even know why there's an option to compile without openssl, but
I'm sure one of the BIND developers can enlighten us.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Evan Hunt
2018-08-25 23:54:32 UTC
Permalink
Post by Anand Buddhdev
TSIG isn't the only thing that needs cryptographic functions. BIND also
had support for DNS COOKIES (RFC 7873), which also need openssl. I would
say openssl is not optional, so just don't compile without it.
I don't even know why there's an option to compile without openssl, but
I'm sure one of the BIND developers can enlighten us.
In the newest development release, there is no longer an option to
compile without a cryptographic provider. That provider can be openssl,
or hardware service module that supports PKCS#11, but you at least need
one or the other.

I'm not entirely sure why the option was there in the first place, as
that dates back to before my time. But I do remember that in the 90s,
when development on BIND 9 was first started, there were derpy export
requirements for crypto libraries, which meant openssl wasn't available
on all platforms, and I've always guessed it was because of that.

No longer an issue, anyway.
--
Evan Hunt -- ***@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
takahiro
2018-08-26 03:44:22 UTC
Permalink
Thank you for many replies.

But I can't still understand.

"If I don't use DNSSEC,TSIG,DNS COOKIE, It' no problem that compile without
openssl."
Is my understanding correct?



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Evan Hunt
2018-08-26 08:58:39 UTC
Permalink
Post by takahiro
"If I don't use DNSSEC,TSIG,DNS COOKIE, It' no problem that compile without
openssl."
Is my understanding correct?
In all versions of BIND up to 9.12, it is possible to compile BIND without
openssl by using "configure --without-openssl".

There will be features you can't use. They're good features, and in my
opinion disabling them is a mistake, but you are allowed to do so.

In BIND 9.13, the option to disable these features no longer exists.
--
Evan Hunt -- ***@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Matus UHLAR - fantomas
2018-08-26 15:58:33 UTC
Permalink
Post by Evan Hunt
Post by takahiro
"If I don't use DNSSEC,TSIG,DNS COOKIE, It' no problem that compile without
openssl."
Is my understanding correct?
In all versions of BIND up to 9.12, it is possible to compile BIND without
openssl by using "configure --without-openssl".
There will be features you can't use. They're good features, and in my
opinion disabling them is a mistake, but you are allowed to do so.
I believe he OP is asking for list of those features disabled by
--without-openssl (if it exists somewhere) and if there are more than
DNSSEC,TSIG and DNS COOKIE mentioned before.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
takahiro
2018-08-27 02:30:31 UTC
Permalink
Hi,there.
Post by Evan Hunt
In all versions of BIND up to 9.12, it is possible to compile BIND without
openssl by using "configure --without-openssl".
last week,I could install BIND9.11.4-P1 by using "configure
--without-openssl" in my test machine.
It seems that there is no problem with ldd `which named` ,rndc , name
resolution.
but I haven't fully checked the funcions that I used to yet.
Post by Evan Hunt
I believe he OP is asking for list of those features disabled by
--without-openssl (if it exists somewhere) and if there are more than
DNSSEC,TSIG and DNS COOKIE mentioned before.
Yes, I'd like to know the list of features.
Now I have used BIND9.9, so I'm going to update to BIND9.11ESV.
But the features that I want are the same features as BIND9.9.
In addition ,the reason that I want to disable openssl is that openssl is
vulnerable.

That's why I want to know the effect of installing with "without-openssl".




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Doug Barton
2018-08-27 03:41:09 UTC
Permalink
Post by takahiro
That's why I want to know the effect of installing with "without-openssl".
What specifically are you trying to accomplish by compiling without openssl?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
takahiro
2018-08-28 14:15:39 UTC
Permalink
Hello,Doug.

Our(My) goal is to build a secure server and to eliminate useless work for
BIND and OPENSSL vulnerability.
= Improved reliability and cost down.
so we have a policy that we shuoud not use functions that we don't use as
much as possible.
 (ex. DNSSEC,TSIG etc.
and we have other reason that we have no enough time to verify new
functions.
(ex. DNSCOOKIE, PKSC#11,DNSTap etc.
Especially DNSCOOKIE!
I have a bad feeling about this. XD

Thank you.



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.i

Loading...