Re: Bind 8.2 and greater license?
Ray,
> We don't allow non-free source to be part of Debian proper ("main"). If a
> "--no-rsa" option is feasible for you, it indicates that it is most likely
> feasible for us to produce a tarball with the non-free code removed so we
> can have bind in "main".
Yes.
> Of course, we would prefer it if in the end you
> were to do this yourself (by having a free bind source, and the non-free RSA
> code in a separate add-on), but AFAICT "--no-rsa" would be a workable
> solution.
I see three options:
a) we create a bind and a bind-norsa distribution;
b) we create a bind distribution with an RSA add-on;
c) you do all the work.
For various reasons, my personal preferance is to go with (a), but need
to discuss this a bit more internally.
> I'm not very familiar with DNS, but looking at
> http://www.faqs.org/rfcs/rfc2535.html the alternative algorithms specified
> (DH, DSA) are well-known public key / digital signature ones; I doubt they
> need so much more resources than RSA.
For signature verification, I'm told that DSA is on the order of a
magnitude slower than RSA (RSA is slower for key generation, but that's
something that is done relatively infrequently with DNSSEC). This is
why RSA is the recommended algorithm despite the fact that it is
patented. Also, the implementation of DSA in BIND 8.* sucks badly.
However, given it would be difficult to use 8.*'s DNSSEC in production,
this probably isn't too much of an issue right now -- DNSSEC was
included in 8.2 primarily to give people a chance to get familiar with
the operational implications of using DNSSEC. The question of using RSA
will be a much more significant issue for BINDv9 (due out in final
release at the end of April, 2000).
> That's difficult to tell, but certainly not earlier than November.
Then the issue is ISC's timing and any difficulties we might have in
pulling out the RSA code again.
Rgds,
-drc
Reply to: