ports/169612: dns/powerdns: Fix botan/cryptopp dependency, make it configurable

Joe Holden joe at rewt.org.uk
Thu Jul 12 18:30:06 UTC 2012 

The following reply was made to PR ports/169612; it has been noted by GNATS.

From: Joe Holden <joe at rewt.org.uk>
To: Ralf van der Enden <ralf.vanderenden at deltares.nl>
Cc: <bug-followup at freebsd.org>
Subject: Re: ports/169612: dns/powerdns:  Fix botan/cryptopp dependency,  make it configurable
Date: Thu, 12 Jul 2012 19:29:21 +0100

 On 2012-07-12 16:12, Ralf van der Enden wrote:
 > On 12-7-2012 17:04, Joe Holden wrote:
 >> On 2012-07-12 08:52, Ralf van der Enden wrote:
 >>> Hi Joe,
 >>>
 >>> I've talked to the author of powerdns and if you disable botan and
 >>> cryptopp, pdns will run at half speed when doing DNSSEC stuff.
 >>> Therefore I'm not in favor of making them configurable. Large DNS
 >>> installations might run into serious performance issues. Or is 
 >>> there
 >>> another reason you want them configurable I'm not aware of ?
 >>>
 >> The default should probably be on, but I added that anyway to avoid 
 >> pulling in more dependencies if they aren't being used (e.g; if you 
 >> don't use DNSSEC), or don't have sufficient requirement for it.
 > I'm more in favor of an 'Enable extra DNSSEC algorithms' option
 > instead of configuring cryptopp and botan individually.
 >>
 Agreed, that is more appropriate.
 
 >>> Checking out your patch I did find out there's a bug in powerdns'
 >>> botan 1.8 support when using ECDSA crypto. Your botan patch
 >>> unfortunately doesn't fix things, but I've upgraded botan to 1.10.2 
 >>> on
 >>> my local system and that does seem to correct the issue. When I 
 >>> have
 >>> some more time I will see if the port-maintainer of botan is
 >>> interested in creating a 1.10 port besides the now existing 1.8 
 >>> one.
 >>>
 >> The problem with the botan port is that it didn't enable the correct 
 >> module and also deleted some headers after install - on my machines 
 >> where I use powerdns/botan the patch does allow powerdns to be built 
 >> correctly and the ECDSA headers for botan are present.
 >>
 >> Does this not work on your machine?
 > Building with botan 1.8 worked just fine here, even without your (not
 > yet submitted) patch. Not sure why it didn't on your machine though.
 >
 Interesting, I will have to run through a build on a fresh machine 
 again, the problem was though that powerdns wasn't finding ecdsa.h and 
 friends as they weren't installed without the --enable-modules=ecdsa 
 flag to botan 1.8.
 
 I'll give it another try and see, though.
 
 > The thing that doesn't work though is the following:
 >     pdnssec test-algorithms
 >
 > Although pdns compiled succesfully with botan 1.8, ECDSA support
 > still is broken. I'm guessing that command also shows some failures 
 > on
 > your end when running it.
 > Until it's a) fixed or b) botan is upgraded to 1.10.2, I'm probably
 > gonna disable botan support for now. ECC-GOST (algo 12) is only
 > enabled when compiling against botan 1.10, and ECDSA(algo 13 en 14)
 > are both supported by cryptopp.
 >>
 >>> Best regards,
 >>>
 >>> Ralf van der Enden
 >>>
 >> Thanks,
 >> J
 >>
 >>
 >
 > Thanks for your input though. It made me look further than just a
 > succesful compilation proces.
 >
 > Best regards,
 >
 > Ralf
 
 Thanks,
 J

More information about the freebsd-ports-bugs mailing list