Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 530
    • Issues 530
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 98
    • Merge requests 98
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #295

Closed
Open
Created May 25, 2018 by Ondřej Surý@ondrejOwner

Remove ECC-GOST (GOST R 34.11-94) support

From https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/?include_text=1

ECC-GOST (GOST R 34.11-94) has been superseded by GOST R 34.11-2012 in [RFC6986]. The GOST R 34.11-2012 hasn't been standardized for use in DNSSEC.

From RFC6986:

GOST R 34.11-94 is superseded by GOST R 34.11-2012 from 1st January 2013. That means that all new systems that are presented for certification MUST use GOST R 34.11-2012 and MAY use GOST R 34.11-94 also for maintaining compatibility with existing systems. Usage of GOST R 34.11-94 in current systems is allowed at least for a 5-year period.

From OpenSSL 1.1.0 ChangeLog:

*) The GOST engine was out of date and therefore it has been removed. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains support for GOST ciphersuites (these are only activated if a GOST engine is present).

Given the very low deployment numbers (SecSpider reports 119 keys and that's less than DSA), I propose to remove this ciphersuite from BIND.

Assignee
Assign to
Time tracking