From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark Kettenis To: aj@suse.de Cc: libc-hacker@sourceware.cygnus.com Subject: Re: Bind 8.2 Integration Date: Fri, 26 Nov 1999 05:34:00 -0000 Message-id: <199911261334.OAA19027@landau.wins.uva.nl> References: X-SW-Source: 1999-11/msg00043.html From: Andreas Jaeger Date: 26 Nov 1999 13:48:12 +0100 Hi Zack, Mark and all others, About half a year ago Zack and Mark looked at the integration of the resolv code from bind 8.2 into glibc. Since then nothing happened. Was it just a lack of time or interest or did you encounter any serious problems? At the time there appeared to be some serious problems, since there is some support for strong cryptography in the BIND 8.2 distrubution. It turns out that not all of the cryptography code is needed in the resolver library. The idea is that if you want to use secure DNS the cryptography isn't done in the resolver stub itself, but by a trusted named. So it seems that we do not need to provide any strong cryptography in glibc. However, the new res_sendsigned/res_nsendsigned interfaces, do use the HMAC_MD5 algorithm which is integrated in the same framework as the strong cryptography code. It is easy to compile the cryptography code (which lives in `src/lib/dst' in the BIND distribution) such that it only supports the HMAC_MD5 algorithm but there may be some problems: * The code provides hooks that make it easy to add strong encryption. According to some interpretations of US export laws this is just as bad as actually providing the code for strong encryption. * The MD5 code included in BIND is ripped from Eric Young's SSL implementation and the license might not be acceptable. It should not be too difficult to use the MD5 code already present in glibc instead. You'll probably want to have an "official" FSF statement on these issues before doing any real work. I'm considering to do the integration myself soonish and would appreciate any help you can give me. Just ask :) I did some serious code browsing and even started writing a free (in the GPL sense) implementation of the DSA algorithm, but more or less dropped it when I found out that this was not needed for glibc. Mark