ports/169612: dns/powerdns: Fix botan/cryptopp dependency, make it configurable
Ralf van der Enden
tremere at cainites.net
Thu Jul 26 14:40:07 UTC 2012
The following reply was made to PR ports/169612; it has been noted by GNATS.
From: Ralf van der Enden <tremere at cainites.net>
To: Joe Holden <joe at rewt.org.uk>
Cc: Ralf van der Enden <ralf.vanderenden at deltares.nl>,
bug-followup at freebsd.org
Subject: Re: ports/169612: dns/powerdns: Fix botan/cryptopp dependency,
make it configurable
Date: Thu, 26 Jul 2012 16:36:16 +0200
Hello all,
I've just submitted the following PR that addresses the configurable
DNSSEC option: http://www.freebsd.org/cgi/query-pr.cgi?pr=170195
Some other fixes and changes are in there as well, so please close this PR.
Best regards,
Ralf van der Enden
On 12-7-2012 20:29, Joe Holden wrote:
> On 2012-07-12 16:12, Ralf van der Enden wrote:
>> On 12-7-2012 17:04, Joe Holden wrote:
>>> On 2012-07-12 08:52, Ralf van der Enden wrote:
>>>> Hi Joe,
>>>>
>>>> I've talked to the author of powerdns and if you disable botan and
>>>> cryptopp, pdns will run at half speed when doing DNSSEC stuff.
>>>> Therefore I'm not in favor of making them configurable. Large DNS
>>>> installations might run into serious performance issues. Or is there
>>>> another reason you want them configurable I'm not aware of ?
>>>>
>>> The default should probably be on, but I added that anyway to avoid
>>> pulling in more dependencies if they aren't being used (e.g; if you
>>> don't use DNSSEC), or don't have sufficient requirement for it.
>> I'm more in favor of an 'Enable extra DNSSEC algorithms' option
>> instead of configuring cryptopp and botan individually.
>>>
> Agreed, that is more appropriate.
>
>>>> Checking out your patch I did find out there's a bug in powerdns'
>>>> botan 1.8 support when using ECDSA crypto. Your botan patch
>>>> unfortunately doesn't fix things, but I've upgraded botan to 1.10.2 on
>>>> my local system and that does seem to correct the issue. When I have
>>>> some more time I will see if the port-maintainer of botan is
>>>> interested in creating a 1.10 port besides the now existing 1.8 one.
>>>>
>>> The problem with the botan port is that it didn't enable the correct
>>> module and also deleted some headers after install - on my machines
>>> where I use powerdns/botan the patch does allow powerdns to be built
>>> correctly and the ECDSA headers for botan are present.
>>>
>>> Does this not work on your machine?
>> Building with botan 1.8 worked just fine here, even without your (not
>> yet submitted) patch. Not sure why it didn't on your machine though.
>>
> Interesting, I will have to run through a build on a fresh machine
> again, the problem was though that powerdns wasn't finding ecdsa.h and
> friends as they weren't installed without the --enable-modules=ecdsa
> flag to botan 1.8.
>
> I'll give it another try and see, though.
>
>> The thing that doesn't work though is the following:
>> pdnssec test-algorithms
>>
>> Although pdns compiled succesfully with botan 1.8, ECDSA support
>> still is broken. I'm guessing that command also shows some failures on
>> your end when running it.
>> Until it's a) fixed or b) botan is upgraded to 1.10.2, I'm probably
>> gonna disable botan support for now. ECC-GOST (algo 12) is only
>> enabled when compiling against botan 1.10, and ECDSA(algo 13 en 14)
>> are both supported by cryptopp.
>>>
>>>> Best regards,
>>>>
>>>> Ralf van der Enden
>>>>
>>> Thanks,
>>> J
>>>
>>>
>>
>> Thanks for your input though. It made me look further than just a
>> succesful compilation proces.
>>
>> Best regards,
>>
>> Ralf
>
> Thanks,
> J
>
More information about the freebsd-ports-bugs
mailing list