Date: Thu, 26 Jul 2012 14:40:07 GMT From: Ralf van der Enden <tremere@cainites.net> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/169612: dns/powerdns: Fix botan/cryptopp dependency, make it configurable Message-ID: <201207261440.q6QEe7k2050401@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/169612; it has been noted by GNATS. From: Ralf van der Enden <tremere@cainites.net> To: Joe Holden <joe@rewt.org.uk> Cc: Ralf van der Enden <ralf.vanderenden@deltares.nl>, bug-followup@freebsd.org Subject: Re: ports/169612: dns/powerdns: Fix botan/cryptopp dependency, make it configurable Date: Thu, 26 Jul 2012 16:36:16 +0200 Hello all, I've just submitted the following PR that addresses the configurable DNSSEC option: http://www.freebsd.org/cgi/query-pr.cgi?pr=170195 Some other fixes and changes are in there as well, so please close this PR. Best regards, Ralf van der Enden On 12-7-2012 20:29, Joe Holden wrote: > On 2012-07-12 16:12, Ralf van der Enden wrote: >> On 12-7-2012 17:04, Joe Holden wrote: >>> On 2012-07-12 08:52, Ralf van der Enden wrote: >>>> Hi Joe, >>>> >>>> I've talked to the author of powerdns and if you disable botan and >>>> cryptopp, pdns will run at half speed when doing DNSSEC stuff. >>>> Therefore I'm not in favor of making them configurable. Large DNS >>>> installations might run into serious performance issues. Or is there >>>> another reason you want them configurable I'm not aware of ? >>>> >>> The default should probably be on, but I added that anyway to avoid >>> pulling in more dependencies if they aren't being used (e.g; if you >>> don't use DNSSEC), or don't have sufficient requirement for it. >> I'm more in favor of an 'Enable extra DNSSEC algorithms' option >> instead of configuring cryptopp and botan individually. >>> > Agreed, that is more appropriate. > >>>> Checking out your patch I did find out there's a bug in powerdns' >>>> botan 1.8 support when using ECDSA crypto. Your botan patch >>>> unfortunately doesn't fix things, but I've upgraded botan to 1.10.2 on >>>> my local system and that does seem to correct the issue. When I have >>>> some more time I will see if the port-maintainer of botan is >>>> interested in creating a 1.10 port besides the now existing 1.8 one. >>>> >>> The problem with the botan port is that it didn't enable the correct >>> module and also deleted some headers after install - on my machines >>> where I use powerdns/botan the patch does allow powerdns to be built >>> correctly and the ECDSA headers for botan are present. >>> >>> Does this not work on your machine? >> Building with botan 1.8 worked just fine here, even without your (not >> yet submitted) patch. Not sure why it didn't on your machine though. >> > Interesting, I will have to run through a build on a fresh machine > again, the problem was though that powerdns wasn't finding ecdsa.h and > friends as they weren't installed without the --enable-modules=ecdsa > flag to botan 1.8. > > I'll give it another try and see, though. > >> The thing that doesn't work though is the following: >> pdnssec test-algorithms >> >> Although pdns compiled succesfully with botan 1.8, ECDSA support >> still is broken. I'm guessing that command also shows some failures on >> your end when running it. >> Until it's a) fixed or b) botan is upgraded to 1.10.2, I'm probably >> gonna disable botan support for now. ECC-GOST (algo 12) is only >> enabled when compiling against botan 1.10, and ECDSA(algo 13 en 14) >> are both supported by cryptopp. >>> >>>> Best regards, >>>> >>>> Ralf van der Enden >>>> >>> Thanks, >>> J >>> >>> >> >> Thanks for your input though. It made me look further than just a >> succesful compilation proces. >> >> Best regards, >> >> Ralf > > Thanks, > J >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207261440.q6QEe7k2050401>