This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]

> On Monday, 16 June 2014 12:40 PM, Nikos Mavrogiannopoulos <> wrote:

>> On Fri, 2014-06-13 at 12:31 -0400, Rich Felker wrote:
>> IMO the right way to do DNSSEC is to run a nameserver (recursive or
>> just caching) on localhost, list it as the only nameserver in
>> resolv.conf, and have it be responsible for verification of trust.
>> Then in case of any vulnerability, the worst that happens is the
>> attacker gaining control over name resolution on the host, rather than
>> gaining full privilege elevation to the privilege level of the process
>> performing the lookup.
> This is what I am proposing, and this is the reason we need the
> additional resolv.conf entry to allow specifying the trusted (for
> dnssec) name server.

  IIUC Rich's comment, resolver at should be trusted implicitly, without any explicit annotation. But till that time when local validating resolver is ubiquitous, we need some way to explicitly designate trusted resolvers in /etc/resolv.conf. It is likely that such new configuration parameter would eventually remain unused, once we have resolver running at


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]