add ECDSA support to DNSSEC infra via OpenSSL #3128

Merged
merged 2 commits into from Dec 29, 2015

Projects

None yet

3 participants

@mind04
Contributor
mind04 commented Dec 28, 2015

TODO

  • signer priority
  • investigate entropy
  • add multi thread locking functions
  • rebase
@Habbie
Member
Habbie commented Dec 28, 2015

Great work! A few questions:

  1. how is the performance? I'm assuming you have numbers
  2. I do not understand the second commit, because (a) mbedTLS is already our fallback (b) I don't see how this commit does anything to reliably change the preference.
@cmouse
Contributor
cmouse commented Dec 28, 2015

Where does the entropy initialization occur?

@cmouse
Contributor
cmouse commented Dec 28, 2015

It seems that according to OpenSSL wiki, you might want to seed the entropy on startup using getrandom or something, see https://wiki.openssl.org/index.php/Random_Numbers#Initialization

@Habbie
Member
Habbie commented Dec 28, 2015

On OSX 10.10, using botan/cryptopp from brew, mbed from our tree, system 'openssl' ('0.9.8'), for ECDSA 13 signing, I see mbed at ~5000 usec, botan at ~2000 usec, openssl and cryptopp at ~1000

@Habbie
Member
Habbie commented Dec 28, 2015

Ubuntu 14.04, digitalocean VM: mbed 7000, botan 2000, cryptopp 1000 (consistent with osx so far), openssl at 150. Wow.

@Habbie Habbie changed the title from add ECDSA support to DNSSEC infra via OpenSSL to [WIP] add ECDSA support to DNSSEC infra via OpenSSL Dec 28, 2015
@Habbie
Member
Habbie commented Dec 28, 2015

After discussion on IRC, suggestion: remove ,true from the ::report call on OpenSSL, add it to all the others (although I'd like a deeper preference scheme, the performance differences between -every- pair of libs is tremendous); probably just get rid of the second commit then. I put WIP in the title for this question and for the entropy question.

@Habbie Habbie changed the title from [WIP] add ECDSA support to DNSSEC infra via OpenSSL to add ECDSA support to DNSSEC infra via OpenSSL Dec 29, 2015
@Habbie Habbie merged commit 26ae9dd into PowerDNS:master Dec 29, 2015

1 check was pending

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
@mind04 mind04 deleted the mind04:openssl branch Dec 29, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment