[Pdns-dev] PowerDNS Authoritative Server 4.0.0-alpha2 released

Pieter Lexis pieter.lexis at powerdns.com
Thu Feb 25 18:05:21 UTC 2016


Hi Justin,

On Thu, 25 Feb 2016 17:30:13 +0000
Justin Clift <justin at postgresql.org> wrote:

> Out of curiosity, why the move towards OpenSSL? :)
> 
> Only asking because many OSS projects are moving *away* from it, due
> to OpenSSL's repeated (severe) vulnerabilities and known-lousy code 
> base.
> 
> Gluster was thinking about shifting away from OpenSSL a while back too, 
> and
> alternatives such as PolarSSL, LibreSSL (etc) were raised in discussion.
> 
> PowerDNS was an example I pointed out of PolarSSL usage, so it's not 
> empty
> curiosity. :)

So first off, we don't use the TLS stacks from any of the crypto libraries, just the hash and cryptographic primitives to sign for DNSSEC, so we're most likely hardly affected by OpenSSL TLS issues.

The main reason we switched to OpenSSL is that in our testing, we noticed that signature generation was an order of magnitude faster with OpenSSL compared to mbedTLS and Crypto++ due to the ASM optimizations of OpenSSL. I tested builing against LibreSSL 2.3, which works :), so you can always do that.

Best regards,

Pieter

-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com


More information about the Pdns-dev mailing list