Currently, GnuTLS cannot be compiled with DANE support as that would
require linking against libunbound2; that is unsuitable since
libunbound2 links against OpenSSL. As of unbound 1.5.7, compiling
against libnettle is supported for libunbound2. Doing so would allow
GnuTLS (and other GPL-licensed software) to make use of libunbound2.
Could you please do so?
Before I do that, I'd like to determine if the nettle support is
considered production ready, and if so will it be supported long term?
Is there any reason to prefer the current OpenSSL crypto implementation
in Unbound, other than it existing longer?
Currently, GnuTLS cannot be compiled with DANE support as that would
require linking against libunbound2; that is unsuitable since
libunbound2 links against OpenSSL. As of unbound 1.5.7, compiling
against libnettle is supported for libunbound2. Doing so would allow
GnuTLS (and other GPL-licensed software) to make use of libunbound2.
Could you please do so?
Before I do that, I'd like to determine if the nettle support is
considered production ready, and if so will it be supported long term?
Is there any reason to prefer the current OpenSSL crypto implementation
in Unbound, other than it existing longer?
It works fine, but --with-libunbound-only means the unbound daemon (and
unbound-checkconf tools) do not get compiled. So, probably unsuitable
for the general-purpose package, where people expect the unbound daemon
to get installed.
The reason the daemon does not compile is that nettle (and libnss, the
other crypto library option), have such different ways to handle SSL (or
rather, TLS) connections.