[nsd-users] NSD and OpenSSL

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Aug 10 07:46:36 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hoi Michael,

On 10/08/15 07:24, Michael A. Peters wrote:
> Hi,
> 
> I'm currently busy rebuilding many of my server applications to
> use LibreSSL instead of OpenSSL.
> 
> I noticed that NSD links against OpenSSL and I am curious as to if
> that is really necessary.

It can link against libressl if you want, and that works.  (You just
need to set it up that it does that, like switching to LibreSSL for
the FreeBSD system, or use the --with-ssl configure option).

> 
> I am guessing some cryptographic functions are used when it pushed
> zone changes to slaves, but does it actually use a TLS connection?

The HMAC TSIG uses crypto, SHA1, SHA256, SHA512.  NSEC3 uses hashes.
The nsd-control functionality uses TLS.  These work with LibreSSL and
OpenSSL.

For DNSSEC algoritms, NSD does not need library support to serve the
correct DNSSEC signatures to clients.

Best regards,
   Wouter

> 
> I know earlier this year, many bitcoin clients that dynamically
> link against OpenSSL broke when OpenSSL pushed an update.
> 
> The fault was not OpenSSL, it was bitcoin clients to blame. Some 
> developers pointed out that because bitcoin doesn't actually use
> TLS it really should have just had the cryptographic functions it
> needs in its own source. That would have prevented a bug fix to
> OpenSSL breaking the clients.
> 
> I am wondering if that is the case with NSD.
> 
> Thoughts? _______________________________________________ nsd-users
> mailing list nsd-users at NLnetLabs.nl 
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVyFbcAAoJEJ9vHC1+BF+NmUkQALI82DvDy5c6bT0bTK4Jeftk
zcxR7C9EKXLkYcYojYNcIbieGeENbPyD6hPWSXP6IeAAFeJApIvpvrF/lNunChlP
Bd34UAJ8sFmI6uqZJ9R3THgV6Vf03SaOL6bLwlhzDBUz9xwN3NOznDP4Xk5V2O1E
YyizIzZkJKXDPXY+0pUuwwjDtIolneyL0X3bNc1W4TuldCS51FhhC5x4zANbwvnG
hcCLf6DBMMGs7A7Zb8UiQwIgwDZfxRHQifCKQK7BnaDMf1wPyukSSIZNGFr3D9Sh
4XNNtpFyMgVKyfxoW9H33o6wy0Rg6oSqKfmGnZjKy+SHoZ3rQX90CJ+R7A3IZje/
BnD665MisdfNxQuZvjPKjDaKz7z0+aSrYTa1cyns24tIKaVT3CuRSXFWwbwIsS9c
tP51LcysqfWMy5EOrqNOTHQZs9o35Ur4mtmlY/p8Ol2fnvf5/f5+o4HzdedjIetN
ALyQbiLs26bZK0CHcII9ADCLhjbWrZS1cCVl755muZjWsHWrT554qPjk6DWtlzMy
/U/3iSCOkXDxObg8mmRNrdhI8m2rlxLhtUvmppejHk9IaSKaHDhUVRxjCQen3DwA
blFc8reBjfmEynDL0QNR6vHRIbJgxZ3JMAKIpNzCia0toZLCoaI+zzkmkV74Uokx
XbfzHOhpifXxh0DSemfC
=rc7Q
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list