This is the mail archive of the
mailing list for the glibc project.
EDNS0 / DO support in resolver
- From: Geert Jansen <geert at boskant dot nl>
- To: libc-alpha at sourceware dot org
- Date: Tue, 05 Sep 2006 00:20:22 +0200
- Subject: EDNS0 / DO support in resolver
it seems that the resolver in glibc does not support the EDNS0 extension
specified in RFC2761. This makes it unsuitable for use with DNSSEC
applications that use the Authentic Data ("AD") bit in the DNS response
to verify data authenticity.
According to RFC3655: "The AD bit MUST only be set if DNSSEC records
have been requested via the DO bit [RFC3225] and relevant SIG records
are returned." RFC3225 specifies that the DO bit is set in the EDNS0 header.
A real-world application that demonstrates the problem is openssh. It
has the possiblity to verify SSH fingerprints using SSHFP RRs. It will
accept these records only if the data is authentic, implied by the AD
being set on the response. But when using the resolver in glibc, no DO
bit is sent and hence no AD bits are returned. This means that openssh
is unable to verify key fingerprints.
As a workaround one can compile openssh with the resolver library
shipped with bind. I tried 9.3.2 myself and it worked (note: you need to
set the "edns0" option in /etc/resolv.conf as well). However, in the
long term I think that glibc should implement this natively. Maybe this
is as easy as re-syncing the resolver in glibc (which seems to have
originated from bind) against the latest upstream?