about the effect of installing with "--without-openssl"

Anand Buddhdev anandb at ripe.net
Sat Aug 25 16:44:01 UTC 2018


On 25/08/2018 17:27, takahiro wrote:

Hi Takahiro,

>> There are other features in BIND, such as TSIG keys, that require
>> cryptographic functions, so you still need openssl.
> Now I don't use TSIG keys.
> Maybe rndc ,too?
> (When I found out the word "cryptographic", rndc was displayed.) 
> 
>> Compiling without openssl is a bad idea. Don't do it.
> I was surprised!  
> I thought it's a good idea to invalidate unnecessary functions.
> Could you tell me the reason?
> I can't fully understand the function of BIND.

TSIG isn't the only thing that needs cryptographic functions. BIND also
had support for DNS COOKIES (RFC 7873), which also need openssl. I would
say openssl is not optional, so just don't compile without it.

I don't even know why there's an option to compile without openssl, but
I'm sure one of the BIND developers can enlighten us.

Regards,
Anand


More information about the bind-users mailing list