In message <[email protected]>, Doug Barton writes: > On 07/08/2012 17:33, Matthew Pounsett wrote: > > > > On 2012/07/08, at 20:29, Matthew Pounsett wrote: > > > >> > >> On 2012/07/08, at 20:26, Mark Andrews wrote: > >> > >>> > >>> One can also build named w/o GOST support if one wants. We statically > >>> link all the engines when building named on Windows. > >> > >> Unfortunately the port doesn't provide the config hooks to disable GOST > >> support. > > > > Actually.. how do you go about doing that anyway? I was just taking a look > > at writing a patch for the port to allow GOST to > be turned off, but BIND's configure script doesn't have any information in > it about disabling individual ciphers. > > I wouldn't accept it anyway. For better or worse, GOST is part of the > protocol. > > Doug
GOST is not a manditory part of DNSSEC. It is entirely optional whether a site supports it or not. If a site doesn't support GOST then the zone is treated as insecure. It doesn't break anything to disable GOST support. This is no worse that deciding whether to link with OpenSSL or not. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
