Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 19:14, Nathan Dorfman wrote: > With such superior understanding, shouldn't you be adding OpenSSL support > to dnsmasq yourself? That way you can deal with their byzantine API and the > resulting bugs, and Simon can instead do something actually worthwhile. > > But don't do that before the licensing issue has been resolved. The motive for moving from openSSL to (not openSSL) was largely about incompatible licenses. Delving into the git repo and finding the openSSL adapter code is the least of the problems. ... and if anyone is volunteering to do a code audit, can I ask they consider auditing the dnsmasq DNSSEC code, which is orders of magnitude less mature than either openSSL _or_ Nettle? Let's get our priorities right here. Simon. > > On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith wrote: > >> On 01/04/14 2:02 PM, Nathan Dorfman wrote: >> >>> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought >>> someone should speak up for nettle :) >>> >> >> speaking up for nettle means nothing when you don't understand the >> issue at hand. >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 10:45:44AM -0700, Dave Taht wrote: > And thus I enthusiastically support other OSes than linux, > other dns servers besides bind, and other crypto libraries > besides openssl. One named to rule them all One named to find them One named to bring them all And in the darkness BIND them. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
With such superior understanding, shouldn't you be adding OpenSSL support to dnsmasq yourself? That way you can deal with their byzantine API and the resulting bugs, and Simon can instead do something actually worthwhile. On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith wrote: > On 01/04/14 2:02 PM, Nathan Dorfman wrote: > >> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought >> someone should speak up for nettle :) >> > > speaking up for nettle means nothing when you don't understand the > issue at hand. > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 2:02 PM, Nathan Dorfman wrote: Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) speaking up for nettle means nothing when you don't understand the issue at hand. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 1, 2014 at 12:54 PM, /dev/rob0 wrote: > a I can't speak to an actual code audit, but nettle isn't some third-rate clone. It's a mature, actively developed and (importantly) thoroughly documented project. If I were to undertake such an audit however, I would surely prefer to have to audit nettle rather than OpenSSL, as unlike the latter, nettle's code is quite readable and even easy on the eyes. Not to mention that there's much less code to begin with, as the library simply doesn't try to do everything OpenSSL does. From their introduction[1]: "Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a *simple* but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O." Maybe OpenSSL is the right choice anyway, I don't know. But, I thought someone should speak up for nettle :) -nd. [1] - http://www.lysator.liu.se/~nisse/nettle/nettle.html#Introduction ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On 01/04/14 1:45 PM, Dave Taht wrote: On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 wrote: On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. I have not been tracking this conversation closely, but my own take on matters is that I'm opposed to a monoculture of anything... http://www.abc.net.au/news/2013-08-29/feature-banana/4922208 And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. I have no problem with not having a monoculture. But provide an option to support more than one crypto library. Don't assume what is good for OpenWRT and other embedded OS's is good for everyone else. That's making a really poor assumption. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 wrote: > On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: >> On 25/03/14 07:03 PM, sven falempin wrote: >> > my concern of nettle vs openssl is the amount of review and >> > testing nettle did get compared to something more widely(!) >> > used >> >> something being used a lot != something being good > > Absolutely true, but in the context of open source software, > especially cryptographic software, more use also tends to mean > more code review. > > I'm not really qualified to judge here what is best; I can only > point out what I, as a user, think about it. I'll trust Simon's > judgment, but I hope he has considered these concerns. I have not been tracking this conversation closely, but my own take on matters is that I'm opposed to a monoculture of anything... http://www.abc.net.au/news/2013-08-29/feature-banana/4922208 And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: > On 25/03/14 07:03 PM, sven falempin wrote: > > my concern of nettle vs openssl is the amount of review and > > testing nettle did get compared to something more widely(!) > > used > > something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipv6 slaac with global prefixes
2014-04-01 12:14 GMT+04:00 Albert ARIBAUD : > DHCP and/*OR* network and/*OR* system logs... :) Nothing printed =). Sorry for noise. I'm switch to radv via bird routing daemon =). -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru jabber: v...@selfip.ru ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipv6 slaac with global prefixes
Le 01/04/2014 09:38, Vasiliy Tolstov a écrit : 2014-04-01 11:26 GMT+04:00 Albert ARIBAUD : Ok, then, did you have a look at your router's and client's DHCP, network and/or system logs? why i need dhcp logs? i don't use it. all that i have - dnsmasq with radv enabled and nodes with slaac configured addresses. DHCP and/*OR* network and/*OR* system logs... :) Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipv6 slaac with global prefixes
2014-04-01 11:26 GMT+04:00 Albert ARIBAUD : > Ok, then, did you have a look at your router's and client's DHCP, network > and/or system logs? why i need dhcp logs? i don't use it. all that i have - dnsmasq with radv enabled and nodes with slaac configured addresses. -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru jabber: v...@selfip.ru ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipv6 slaac with global prefixes
Hi again Vasiliy, Le 01/04/2014 09:20, Vasiliy Tolstov a écrit : 2014-04-01 11:12 GMT+04:00 Albert ARIBAUD : Hi Vasiliy, What is the *exact* command that you used to ping6? If you don't want to disclose the actual target, use e.g. albert.aribaud.net, which should resolve in IPv6 and answer (reasonable) IPv6 pings. Also, did you have a look at your router's and client's DHCP, network and/or system logs? Amicalement, I don't have external ipv6 and cant check ping for external address. as i see ip -6 r s i have only link local address with /64 and not global. And i don't have dhcp and want to use it. I want use only slaac and radv to get all connected. Ok, then, did you have a look at your router's and client's DHCP, network and/or system logs? Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipv6 slaac with global prefixes
2014-04-01 11:12 GMT+04:00 Albert ARIBAUD : > Hi Vasiliy, > > What is the *exact* command that you used to ping6? If you don't want to > disclose the actual target, use e.g. albert.aribaud.net, which should > resolve in IPv6 and answer (reasonable) IPv6 pings. > > Also, did you have a look at your router's and client's DHCP, network and/or > system logs? > > Amicalement, I don't have external ipv6 and cant check ping for external address. as i see ip -6 r s i have only link local address with /64 and not global. And i don't have dhcp and want to use it. I want use only slaac and radv to get all connected. -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru jabber: v...@selfip.ru ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipv6 slaac with global prefixes
Le 01/04/2014 08:54, Vasiliy Tolstov a écrit : Hi all. I'm try to use ipv6 slaac addresses and get global routing in my simple network. What i need to specify in dnsmasq.conf to provide global prefix to nodes? Now i write dhcp-range=::1,slaac,5m dhcp-option=option6:dns-server,[::] enable-ra But when i ping6 some ipv6 addr i get error connect: Invalid argument Hi Vasiliy, What is the *exact* command that you used to ping6? If you don't want to disclose the actual target, use e.g. albert.aribaud.net, which should resolve in IPv6 and answer (reasonable) IPv6 pings. Also, did you have a look at your router's and client's DHCP, network and/or system logs? Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] ipv6 slaac with global prefixes
Hi all. I'm try to use ipv6 slaac addresses and get global routing in my simple network. What i need to specify in dnsmasq.conf to provide global prefix to nodes? Now i write dhcp-range=::1,slaac,5m dhcp-option=option6:dns-server,[::] enable-ra But when i ping6 some ipv6 addr i get error connect: Invalid argument -- Vasiliy Tolstov, e-mail: v.tols...@selfip.ru jabber: v...@selfip.ru ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss