OpenSSL problem: bind98-base FreeBSD port

Mark Andrews marka at
Mon Jul 9 00:56:51 UTC 2012

In message <4FFA2871.2020506 at>, Doug Barton writes:
> On 07/08/2012 17:33, Matthew Pounsett wrote:
> > 
> > On 2012/07/08, at 20:29, Matthew Pounsett wrote:
> > 
> >>
> >> On 2012/07/08, at 20:26, Mark Andrews wrote:
> >>
> >>>
> >>> One can also build named w/o GOST support if one wants.  We statically
> >>> link all the engines when building named on Windows.
> >>
> >> Unfortunately the port doesn't provide the config hooks to disable GOST support.
> > 
> > Actually.. how do you go about doing that anyway?  I was just taking a look at writing a patch for the port to allow GOST to
>  be turned off, but BIND's configure script doesn't have any information in it about disabling individual ciphers.
> I wouldn't accept it anyway. For better or worse, GOST is part of the
> protocol.
> Doug

GOST is not a manditory part of DNSSEC.  It is entirely optional
whether a site supports it or not.  If a site doesn't support GOST
then the zone is treated as insecure.  It doesn't break anything
to disable GOST support.  This is no worse that deciding whether
to link with OpenSSL or not.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list