Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
Hi, On Sun, Jun 15, 2014 at 11:13 AM, Steven Barth cy...@openwrt.org wrote: could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. I posted a patch to fix nettle-mini builds to the dnsmasq list. Once a fix is merged I'll include that in this package. The ipkg suggestion sounds nice, but, as Zhou mentioned, that'll give 4 variants already. Is that really what we want? Regards, Andre ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:12 AM, Andre Heider a.hei...@gmail.com wrote: could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. I posted a patch to fix nettle-mini builds to the dnsmasq list. Once a fix is merged I'll include that in this package. The ipkg suggestion sounds nice, but, as Zhou mentioned, that'll give 4 variants already. Is that really what we want? Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
Hi, thanks for this. my intention was more to add one build-variant dnsmasq-full with standard + dhcpv6 + authoritative + dnssec. As dnssec adds hundreds of KB of dependencies anyway I don't think the 10 or 20 KB of the other features make it particularly worse or worth adding variants for every possible combination. Cheers, Steven Am 16.06.2014 10:12, schrieb Andre Heider: Hi, On Sun, Jun 15, 2014 at 11:13 AM, Steven Barth cy...@openwrt.org wrote: could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. I posted a patch to fix nettle-mini builds to the dnsmasq list. Once a fix is merged I'll include that in this package. The ipkg suggestion sounds nice, but, as Zhou mentioned, that'll give 4 variants already. Is that really what we want? Regards, Andre ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:15 AM, Nikos Mavrogiannopoulos n.mavrogiannopou...@gmail.com wrote: On Mon, Jun 16, 2014 at 10:12 AM, Andre Heider a.hei...@gmail.com wrote: could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. I posted a patch to fix nettle-mini builds to the dnsmasq list. Once a fix is merged I'll include that in this package. The ipkg suggestion sounds nice, but, as Zhou mentioned, that'll give 4 variants already. Is that really what we want? Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. DNSSEC support adds a dependency. Even with libnettle-mini that's already 167K on my ar71xx. But yes, with support compiled in its can be disabled at runtime, see patch 4. Regards, Andre ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
Hi Nikos, Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. The main problem here is that this increase the default image size significantly plus we can't even reuse all the added crypto code because none of the core or important services use nettle. It would be nice to see dnsmasq interacting with a more mainstream embedded crypto library like polarssl or so. Also I would probably let all the DNSSEC deployment and the dnsmasq implementation mature a bit more before considering to enable it by default for everyone. But thats just my personal opinion. Cheers, Steven ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:31 AM, Steven Barth cy...@openwrt.org wrote: Hi Nikos, Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. The main problem here is that this increase the default image size significantly plus we can't even reuse all the added crypto code because none of the core or important services use nettle. It would be nice to see dnsmasq interacting with a more mainstream embedded crypto library like polarssl or so. On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. Also I would probably let all the DNSSEC deployment and the dnsmasq implementation mature a bit more before considering to enable it by default for everyone. But thats just my personal opinion. Well, it will never mature if it is not distributed :) regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:16 AM, Steven Barth cy...@openwrt.org wrote: my intention was more to add one build-variant dnsmasq-full with standard + dhcpv6 + authoritative + dnssec. As dnssec adds hundreds of KB of dependencies anyway I don't think the 10 or 20 KB of the other features make it particularly worse or worth adding variants for every possible combination. That sounds better, but on the other side users wanting only dhcpv6 then get quite a lot of DNSSEC bloat. I don't have numbers at hand, but we could explore static libnettle-mini linking? Regards, Andre ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. Oh well, I sometimes have the feeling if its open-source + backed by a company there is more interest in avoiding another case of heartbleed or similar but I guess we will see about that. Companies are not necessarily evil. Plus nobody said anything about dropping nettle support. Maybe just a little abstraction layer for the crypto stuff would be useful so that other libraries can be used. Heck maybe even add openssl support. That is 10x bigger but still 100x more reusable in terms of other daemons but not necessarily a candidate for default builds either. Also I would probably let all the DNSSEC deployment and the dnsmasq implementation mature a bit more before considering to enable it by default for everyone. But thats just my personal opinion. Well, it will never mature if it is not distributed :) Well, you are not the one getting all the bugreports about mysterious DNS disfunction with certain zones then :P Anyway personally I would like to at least have prepackaged dnssec support ready for installation so people don't have to compile themselves thats one step closer to general adoption than just having a buildoption somewhere deep down in menuconfig. Once Andre sends his next batch of patches we can think about merging it, but that would mean I would have to move nettle to the core repo and adopt it myself since we don't want to have dependencies from core to any of the feeds. Cheers, Steven ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
That sounds better, but on the other side users wanting only dhcpv6 then get quite a lot of DNSSEC bloat. I don't have numbers at hand, but we could explore static libnettle-mini linking? No, I wasn't thinking about dropping the dhcpv6 variant just to add the full variant as number 3 so we have standard, dhcpv6 and full. Does that make sense? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On 16.06.2014 10:40, Nikos Mavrogiannopoulos wrote: On Mon, Jun 16, 2014 at 10:31 AM, Steven Barth cy...@openwrt.org wrote: Hi Nikos, Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. The main problem here is that this increase the default image size significantly plus we can't even reuse all the added crypto code because none of the core or important services use nettle. It would be nice to see dnsmasq interacting with a more mainstream embedded crypto library like polarssl or so. On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. according to https://polarssl.org/how-to-get you can use the polarssl library properly under copyleft GPL2. if they offer additional licenses does not matter. ..ede ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:52 AM, Steven Barth cy...@openwrt.org wrote: That sounds better, but on the other side users wanting only dhcpv6 then get quite a lot of DNSSEC bloat. I don't have numbers at hand, but we could explore static libnettle-mini linking? No, I wasn't thinking about dropping the dhcpv6 variant just to add the full variant as number 3 so we have standard, dhcpv6 and full. Does that make sense? D'oh, got it now. Sounds good to me. I'll do just that for the next set. Thanks, Andre ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:53 AM, edgar.sol...@web.de wrote: On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. according to https://polarssl.org/how-to-get you can use the polarssl library properly under copyleft GPL2. if they offer additional licenses does not matter. That's what I already mentioned. The difference with open-source software is the missing how to contribute page (I consider the presence of a developer community a vital part of being open source). Otherwise, tomorrow you could be left with a GPLv2 codebase that is outdated an unmaintained if the X company desires that the GPLv2 codebase they release is no longer a good marketing approach. Another risk is to wait for years (or eternity) to get features that paying customers get (see matrixssl). On Mon, Jun 16, 2014 at 10:51 AM, Steven Barth cy...@openwrt.org wrote: On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. Oh well, I sometimes have the feeling if its open-source + backed by a company there is more interest in avoiding another case of heartbleed You could be right, but I'd expect a different set of bugs to be present rather than no bugs. Being commercial doesn't imply there are no bugs. My experience shows the contrary (and both openssl and gnutls are far from being non-commercial as they are backed from several companies that either contribute code or hire their developers). The advantage small implementations have initially over gnutls and openssl is the fact that they are smaller and support much less features, thus they are easy to check and have a smaller attack vector. Their disadvantage is that they need to get in par with the features of the other libraries (see for example how supporting cryptodev and modern algorithms improves performance in a small system [0], thus using a mainstream implementation pays off). In any case my opinion is biased as I am working on gnutls. regards, Nikos [0]. http://nmav.gnutls.org/2012/04/in-some-embedded-systems-space-may.html ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On 16.06.2014 11:56, Nikos Mavrogiannopoulos wrote: On Mon, Jun 16, 2014 at 10:53 AM, edgar.sol...@web.de wrote: On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. according to https://polarssl.org/how-to-get you can use the polarssl library properly under copyleft GPL2. if they offer additional licenses does not matter. That's what I already mentioned. The difference with open-source software is the missing how to contribute page (I consider the presence of a developer community a vital part of being open source). Otherwise, tomorrow you could be left with a GPLv2 codebase that is outdated an unmaintained if the X company desires that the GPLv2 codebase they release is no longer a good marketing approach. Another risk is to wait for years (or eternity) to get features that paying customers get (see matrixssl). well, i guess our open-source definition differs here ;) i tend to use the definition of the open source initiative http://opensource.org/osd understandably you'd prefer maintained code. but in reality even big oss projects die or are split up or forked or, or, or.. so what is left is that you can take a past and current maintenance status as a variable in your decision making only, no more, no less. ..ede ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
Hi Andre, could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. Otherwise thanks for your work. Cheers, Steven ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On 15 June 2014 17:13, Steven Barth cy...@openwrt.org wrote: Hi Andre, could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. There exists need for compilation with the combination of multiple features enabled. With dnssec and dhcpv6, 4 variants are needed to cover all the possibilities. So I prefer keeping them in the form of configurable options as there are other features in dnsmasq to be enabled like ipset support, and serious users would enable/compile on their own. yousong Otherwise thanks for your work. Cheers, Steven ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
Hi, this set adds DNSSEC validation to dnsmasq, tested on ar71xx. The set is pretty small and should be self explanatory. There's room for improvement though: - compilation will fail under CONFIG_LIBNETTLE_MINI. I failed to express the dependencies so that this combination is not allowed... Hints? - the Configuration submenu shows up between the two variants but influences both. Is there a recommended way how to handle compile time options for variants? To test: 1) use a DNSSEC-capable upstream DNS server 2) add to /etc/config/dhcp: config dnsmasq ... # Activate DNSSEC validation option dnssec '1' # Ensure answers without DNSSEC are in unsigned zones option dnsseccheckunsigned '1' setting the latter option to '1' without fullfilling 1) will break all queries! - `dig +dnssec +multi +tcp posteo.de` should resolve with 'ad' in flags - `dig +dnssec +multi +tcp dnssec-failed.org` should not resolve Thanks, Andre Andre Heider (4): dnsmasq: use COPTS for compile time options dnsmasq: respect target's LDFLAGS dnsmasq: Add config option to enable DNSSEC validation dnsmasq: add UCI DNSSEC runtime support package/network/services/dnsmasq/Config.in | 25 ++ package/network/services/dnsmasq/Makefile | 24 +++-- .../network/services/dnsmasq/files/dnsmasq.init| 8 +++ 3 files changed, 51 insertions(+), 6 deletions(-) create mode 100644 package/network/services/dnsmasq/Config.in -- 2.0.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Sat, 2014-06-14 at 17:34 +0200, Andre Heider wrote: Hi, this set adds DNSSEC validation to dnsmasq, tested on ar71xx. The set is pretty small and should be self explanatory. There's room for improvement though: - compilation will fail under CONFIG_LIBNETTLE_MINI. I failed to express the dependencies so that this combination is not allowed... Hints? Hello, Why would it fail? If the issue is the missing gmp.h, you could simply replace it with nettle's bignum.h and avoid direct linking with gmp. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Sat, Jun 14, 2014 at 6:56 PM, Nikos Mavrogiannopoulos n...@gnutls.org wrote: On Sat, 2014-06-14 at 17:34 +0200, Andre Heider wrote: Hi, this set adds DNSSEC validation to dnsmasq, tested on ar71xx. The set is pretty small and should be self explanatory. There's room for improvement though: - compilation will fail under CONFIG_LIBNETTLE_MINI. I failed to express the dependencies so that this combination is not allowed... Hints? Hello, Why would it fail? If the issue is the missing gmp.h, you could simply replace it with nettle's bignum.h and avoid direct linking with gmp. I was getting errors about mismatching symbols before, I guess that's because it included gmp.h and then tried to link against a libnettle-mini. But you're right, with that header change it indeed does work, thanks! Regards, Andre ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel