27.04.2022 12:08, Ondřej Surý wrote:
Hi,
GOST has been deprecated for use in DNSSEC, and the
actual standard actually says it MUST NOT be used for
signing (and MAY be used for verification), see RFC 8624.
I think the best course of action here is to actually disable it
everywhere where GOST R 34.10-2001 is used as it has
been superseded by GOST R 34.10-2012 in [RFC7091].
I don't know which version(s) of GOST is enabled in ldns
when built with --enable-gost[-anyway]. Do you?
Please note there are at least 4 symbols in the libldns3
library which are gost-related:
ldns_gost2pkey_raw@Base 1.7.1
ldns_gost_engine@Base 1.7.1
ldns_key_EVP_load_gost_id@Base 1.7.1
ldns_key_EVP_unload_gost@Base 1.7.1
I'm not sure here, but it looks like we'll have to
bump the library soname when removing these symbols.
To me it looks like not worth the effort. Especially
since we "MAY" (as the RFC suggests) need it to verify
some old signatures anyway.
Thanks,
/mjt
