Re: Bind 8.2 Integration

[Mark Kettenis <kettenis@wins.uva.nl>]

   From: Andreas Jaeger <aj@suse.de>
   Date: 26 Nov 1999 13:48:12 +0100

   Hi Zack, Mark and all others,

   About half a year ago Zack and Mark looked at the integration of the
   resolv code from bind 8.2 into glibc.  Since then nothing happened.
   Was it just a lack of time or interest or did you encounter any
   serious problems?

At the time there appeared to be some serious problems, since there is
some support for strong cryptography in the BIND 8.2 distrubution.  It
turns out that not all of the cryptography code is needed in the
resolver library.  The idea is that if you want to use secure DNS the
cryptography isn't done in the resolver stub itself, but by a trusted
named.  So it seems that we do not need to provide any strong
cryptography in glibc.

However, the new res_sendsigned/res_nsendsigned interfaces, do use the
HMAC_MD5 algorithm which is integrated in the same framework as the
strong cryptography code.  It is easy to compile the cryptography
code (which lives in `src/lib/dst' in the BIND distribution) such that
it only supports the HMAC_MD5 algorithm but there may be some
problems:

 * The code provides hooks that make it easy to add strong
   encryption.  According to some interpretations of US export laws
   this is just as bad as actually providing the code for strong
   encryption.

 * The MD5 code included in BIND is ripped from Eric Young's SSL
   implementation and the license might not be acceptable.  It should
   not be too difficult to use the MD5 code already present in glibc
   instead.

You'll probably want to have an "official" FSF statement on these
issues before doing any real work.

   I'm considering to do the integration myself soonish and would
   appreciate any help you can give me.

Just ask :)  I did some serious code browsing and even started writing
a free (in the GPL sense) implementation of the DSA algorithm, but
more or less dropped it when I found out that this was not needed for
glibc.

Mark