division of code into libraries - openssl dependancy

Michael Richardson mcr at sandelman.ottawa.on.ca
Wed Dec 11 16:13:01 UTC 2002


>>>>> "Mark" == Mark Andrews <Mark.Andrews at isc.org> writes:
    Mark> 	However the more I look at this just having both versions of libdns
    Mark> 	available would suffice.  A stub libcrypto would allow the same
    Mark> 	executable to be sent with a crypto less libdns to those parts of
    Mark> 	the world where crypto is illegal.  Certian operation would just
    Mark> 	fail at runtime.

  It isn't just a question of legal/illegal, but being a minimalist for
security/maintenance reasons. Had we had a cut down openssl that just did RSA
operations, then the openssl bugs in ASN.1 code would have been irrelevant.

  As I said - static linking gets you what you need and no more. A shame that
life is like that.

    >> I don't fully understand why using liblwres requires that you also 
    >> link in libdns.  Using lwres to get the common record types (A and PTR), 

    Mark> 	Micheal is using libdns to convert the wire format to other
    Mark> 	formats and break up the rdata.  He could have also use libbind
    Mark> 	or libresolv or rolled his own.
  Let me explain more.

  We have a tool called "lwdnsq". It does stuff like:

% (echo "key 1234 east.uml.freeswan.org."; echo quit) | ipsec lwdnsq
1234 1039479835 0 START
1234 1039479835 0 DNSSEC OKAY
1234 1039479835 0 NAME east.uml.freeswan.org
1234 1039479835 0 AD-KEY 16896 4 1 AQN3cn11FrBVbZhWGwRnFDAf8O9FHBmBIyIvmvt0kfkI2UGDDq8k+vYg RkwBZDviLd1p3SkL30LzuV0rqG3vBriqaAUUGoCQ0UMgsuX+k01bROLs qGB1QNXYvYiPLsnoDhKd2Gx9MUMHEjwwEZeyskMT5k91jvoAZvdEkg+9 h7urbJ+kRQ4e+IHkMUrreDGwGVptV/hYQVCD54RZep6xp5ymaKRCDgMp zWvlzO80fP7JDjSZf9LI/MMu6c+qwXIKnWoNha75IhFyLWniVczxK2Rd hmMhLsi0kC0CoOwWDSIEOb+5zbECDjjud+SF5tT8qRCWnSomX8jtbCdZ 50WraQlL
1234 1039479835 0 SIG KEY 1 4 604800 20121130022609 20021203012609 6142 uml.freeswan.org. 1MdwuJz5oXheuCvXQXsVmcq7gT7060Gzn5o548GtI/IQUufwCivS/MTK ivhrcxKrU1Q00M5p7tScRhsztDpppA==
1234 1039479835 0 DONE

  It will eventually use a modified -llwres to do async lookups.

  We popen() this tool from our IKE daemon. This isolates our IKE daemon from
making blocking lwres calls (or using threads). It also means that we don't
have to link in other stuff. In the end, we decided to parse the replies that
we needed (KEY, AD-KEY) directly. We decided to repeat the AD- bit on each
line that we knew was verified.

  The intention is that this tool is useful debugging setups as well as being
used during IPsec.

  {We'd like for lwres queries to actually return all of the SIG records that
were used all the way up to a trusted root. We will supply code if we
must. MTU isn't an issue on loopback. We'd also prefer if we had the option
of doing lwres queries on Unix domain sockets as well.}

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys


More information about the bind-workers mailing list