I'm currently busy rebuilding many of my server applications to use LibreSSL instead of OpenSSL.
I noticed that NSD links against OpenSSL and I am curious as to if that is really necessary.
I am guessing some cryptographic functions are used when it pushed zone changes to slaves, but does it actually use a TLS connection?
I know earlier this year, many bitcoin clients that dynamically link against OpenSSL broke when OpenSSL pushed an update.
The fault was not OpenSSL, it was bitcoin clients to blame. Some developers pointed out that because bitcoin doesn't actually use TLS it really should have just had the cryptographic functions it needs in its own source. That would have prevented a bug fix to OpenSSL breaking the clients.
I'm currently busy rebuilding many of my server applications to
use LibreSSL instead of OpenSSL.
I noticed that NSD links against OpenSSL and I am curious as to if
that is really necessary.
It can link against libressl if you want, and that works. (You just
need to set it up that it does that, like switching to LibreSSL for
the FreeBSD system, or use the --with-ssl configure option).
I am guessing some cryptographic functions are used when it pushed
zone changes to slaves, but does it actually use a TLS connection?
The HMAC TSIG uses crypto, SHA1, SHA256, SHA512. NSEC3 uses hashes.
The nsd-control functionality uses TLS. These work with LibreSSL and
OpenSSL.
For DNSSEC algoritms, NSD does not need library support to serve the
correct DNSSEC signatures to clients.