Date: Thu, 12 Jul 2012 18:30:05 GMT From: Joe Holden <joe@rewt.org.uk> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/169612: dns/powerdns: Fix botan/cryptopp dependency, make it configurable Message-ID: <201207121830.q6CIU5NM025262@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/169612; it has been noted by GNATS. From: Joe Holden <joe@rewt.org.uk> To: Ralf van der Enden <ralf.vanderenden@deltares.nl> Cc: <bug-followup@freebsd.org> Subject: Re: ports/169612: dns/powerdns: Fix botan/cryptopp dependency, make it configurable Date: Thu, 12 Jul 2012 19:29:21 +0100 On 2012-07-12 16:12, Ralf van der Enden wrote: > On 12-7-2012 17:04, Joe Holden wrote: >> On 2012-07-12 08:52, Ralf van der Enden wrote: >>> Hi Joe, >>> >>> I've talked to the author of powerdns and if you disable botan and >>> cryptopp, pdns will run at half speed when doing DNSSEC stuff. >>> Therefore I'm not in favor of making them configurable. Large DNS >>> installations might run into serious performance issues. Or is >>> there >>> another reason you want them configurable I'm not aware of ? >>> >> The default should probably be on, but I added that anyway to avoid >> pulling in more dependencies if they aren't being used (e.g; if you >> don't use DNSSEC), or don't have sufficient requirement for it. > I'm more in favor of an 'Enable extra DNSSEC algorithms' option > instead of configuring cryptopp and botan individually. >> Agreed, that is more appropriate. >>> Checking out your patch I did find out there's a bug in powerdns' >>> botan 1.8 support when using ECDSA crypto. Your botan patch >>> unfortunately doesn't fix things, but I've upgraded botan to 1.10.2 >>> on >>> my local system and that does seem to correct the issue. When I >>> have >>> some more time I will see if the port-maintainer of botan is >>> interested in creating a 1.10 port besides the now existing 1.8 >>> one. >>> >> The problem with the botan port is that it didn't enable the correct >> module and also deleted some headers after install - on my machines >> where I use powerdns/botan the patch does allow powerdns to be built >> correctly and the ECDSA headers for botan are present. >> >> Does this not work on your machine? > Building with botan 1.8 worked just fine here, even without your (not > yet submitted) patch. Not sure why it didn't on your machine though. > Interesting, I will have to run through a build on a fresh machine again, the problem was though that powerdns wasn't finding ecdsa.h and friends as they weren't installed without the --enable-modules=ecdsa flag to botan 1.8. I'll give it another try and see, though. > The thing that doesn't work though is the following: > pdnssec test-algorithms > > Although pdns compiled succesfully with botan 1.8, ECDSA support > still is broken. I'm guessing that command also shows some failures > on > your end when running it. > Until it's a) fixed or b) botan is upgraded to 1.10.2, I'm probably > gonna disable botan support for now. ECC-GOST (algo 12) is only > enabled when compiling against botan 1.10, and ECDSA(algo 13 en 14) > are both supported by cryptopp. >> >>> Best regards, >>> >>> Ralf van der Enden >>> >> Thanks, >> J >> >> > > Thanks for your input though. It made me look further than just a > succesful compilation proces. > > Best regards, > > Ralf Thanks, J
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207121830.q6CIU5NM025262>