about the effect of installing with "--without-openssl"

Evan Hunt each at isc.org
Sat Aug 25 23:54:32 UTC 2018

On Sat, Aug 25, 2018 at 06:44:01PM +0200, Anand Buddhdev wrote:
> TSIG isn't the only thing that needs cryptographic functions. BIND also
> had support for DNS COOKIES (RFC 7873), which also need openssl. I would
> say openssl is not optional, so just don't compile without it.
> I don't even know why there's an option to compile without openssl, but
> I'm sure one of the BIND developers can enlighten us.

In the newest development release, there is no longer an option to
compile without a cryptographic provider.  That provider can be openssl,
or hardware service module that supports PKCS#11, but you at least need
one or the other.

I'm not entirely sure why the option was there in the first place, as
that dates back to before my time. But I do remember that in the 90s,
when development on BIND 9 was first started, there were derpy export
requirements for crypto libraries, which meant openssl wasn't available
on all platforms, and I've always guessed it was because of that.

No longer an issue, anyway.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list