[bind10-dev] Sha1
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Tue Mar 16 16:56:22 UTC 2010
At Tue, 16 Mar 2010 10:45:47 +0100,
Shane Kerr <shane at isc.org> wrote:
> > We cannot ship the current sha1 implementation as we previously
> > discussed. We need to import BIND9 code or other safe code, or skip
> > nsec3 this time.
>
> Just out of curiosity, why is this unsafe?
License (copyright) issue. We discussed this before:
https://lists.isc.org/pipermail/bind10-dev/2010-March/000587.html
(see also other related messages of this thread).
> It doesn't look like the BIND 10 code should be that difficult to
> convert... except of course we need OpenSSL.
We have three options:
1. incorporate BIND 9 version of sha1 (lib/isc/sha1.c)
2. use external library
3. drop NSEC3 (for year1 release)
Any of them has some pros and cons.
If we have two weeks, e.g., option 1 would be the easiest and most
reasonable short-term solution. The problem is that we only have a
few days.
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list