domain icon indicating copy to clipboard operation
domain copied to clipboard
verified publisher icon NLnetLabs

Overhaul feature flags for DNSSEC / crypto

Open bal-e opened this issue 5 months ago • 3 comments

  • ring and openssl now enable a shared unstable-crypto-backend feature, which is used internally to test whether a common backend is available.

  • Examples / doc tests in crypto, relying on crypto::common, have been moved to the submodule to avoid needing more cfg magic.

  • unstable-crypto now enables std; this requirement was previously undetected (and the CI will be adjusted to try to catch more of these over time), but compilation would fail without it.

  • unstable-sign and unstable-validator now fail to compile if ring and/or openssl are not enabled. Previously, those modules would remain configured out. Its status as a breaking change is debatable, but in any case it only affects unstable features.

bal-e avatar Jun 30 '25 13:06 bal-e

This should also fix the CI failure in #547.

bal-e avatar Jun 30 '25 13:06 bal-e

Can we rename it to 'internal-crypto-backend' or any other convention to show that something is not to be used?

Philip-NLnetLabs avatar Jun 30 '25 14:06 Philip-NLnetLabs

I think having a separate prefix for internal features would indeed be good. I don’t think we need a separate prefix for internal unstable features, though, given that they not user-facing, anyway.

partim avatar Nov 06 '25 15:11 partim