Bug#733295: gnutls-bin: please compile GnuTLS with DANE support

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Apr 10 14:19:01 UTC 2015


On Wed, Apr 8, 2015 at 10:13 PM, Cyril Brulebois <kibi at debian.org> wrote:
>> I think option 2 is the simplest, shortest-path option for now, though
>> the idea that installing libgnutls28 brings in libnss3 as a dependency
>> seems rather ugly to me.
> so I've spent a few moments trying to get stuff to build and see how it
> goes. I'm particularly unimpressed with the resulting patches, but they
> might at least be useful to someone who would like to try a bit harder
> to get stuff into shape, and/or who would like to toy around locally.
> The unbound patch introduces an NSS variant of libunbound, which I didn't
> try to make co-installable along with the regular one.

I should note here, that for danetool the switch to nss is not
necessary. In the last releases of gnutls, danetool is under GPLv3
with the openssl exception.

> The end result is error messages while trying to validate the domain
> mentioned at the beginning of this bug report (www.nic.cz)... at the
> moment, besides installing the resulting binary packages, I had to copy
> /usr/share/dns/root.key under /etc/unbound/
> | $ danetool --check=www.nic.cz
> | Querying DNS for www.nic.cz (tcp:443)...
> | [1428519378] libunbound[7678:0] error: PK11_GenerateRandom error: Unknown code ___f 65

I know fedora ships with unbound linked with nss, and doesn't have
these issues. Probably they are using some additional patches?

regards,
Nikos



More information about the Pkg-gnutls-maint mailing list