On 12.07.2016 8:48, Kevin Oberman wrote: > >> May be need file PR for dns/bind910? > >> > >> # grep -3 BROK /poudriere/ports/default/dns/bind910/Makefile > >> .include <bsd.port.pre.mk <http://bsd.port.pre.mk>> > >> > >> .if ( ${PORT_OPTIONS:MGOST} || ${PORT_OPTIONS:MGOST_ASN1} ) && > ${SSL_DEFAULT} == base > >> BROKEN= OpenSSL from the base system does not support GOST, add \ > >> DEFAULT_VERSIONS+=ssl=openssl to your /etc/make.conf and > rebuild everything \ > >> that needs SSL. > >> .endif > >> > > > > I dislike idea to use GOST in the bind, it is unneeded there, DNSSEC > > don't use GOST, so I vote for removing GOST option from there. > > > > I need to note that RFC exists, proposing GOST (old version) for DNSSEC: > https://tools.ietf.org/html/rfc5933 > but nobody really use it. > > In case people are not aware of it, Russian law now requires ALL > encrypted traffic must either be accessible by the FSB or that the > private keys must be available to the FSB. It is not quite so. All traffic must be available for 6 months and they express intention to ask big companies for their private keys, but later is not required by the law (not yet...) > I have always assumed that > GOST has a hidden vulnerability/backdoor that the FSB is already using, I already answer this question elsewhere in this thread with the reference. > but this makes it mandatory. Putin gave the FSB 2 weeks to implement the > law, which is clearly impossible, but I suspect that there will be a > huge effort to pick all low-hanging fruit. As a result, I suspect no one > outside of Russia will touch GOST. (Not that they do now, either.) I'd > hate to see its support required for any protocol except in Russia as > someone will be silly enough to use it. I already explain required GOST usage pattern in this thread.Received on Tue Jul 12 2016 - 07:16:07 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC