This is the mail archive of the
mailing list for the glibc project.
Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- From: P J P <pj dot pandit at yahoo dot co dot in>
- To: "libc-alpha at sourceware dot org" <libc-alpha at sourceware dot org>
- Date: Tue, 17 Jun 2014 14:46:58 +0800
- Subject: Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- Authentication-results: sourceware.org; auth=none
- References: <535E41F5 dot 5020109 at redhat dot com> <loom dot 20140612T135904-448 at post dot gmane dot org> <20140612160823 dot E308B2C39C1 at topped-with-meat dot com> <1402659130 dot 6191 dot 52 dot camel at dhcp-2-127 dot brq dot redhat dot com> <20140613163110 dot GB179 at brightrain dot aerifal dot cx> <1402902619 dot 2357 dot 1 dot camel at dhcp-2-127 dot brq dot redhat dot com>
- Reply-to: P J P <pj dot pandit at yahoo dot co dot in>
> On Monday, 16 June 2014 12:40 PM, Nikos Mavrogiannopoulos <email@example.com> wrote:
>> On Fri, 2014-06-13 at 12:31 -0400, Rich Felker wrote:
>> IMO the right way to do DNSSEC is to run a nameserver (recursive or
>> just caching) on localhost, list it as the only nameserver in
>> resolv.conf, and have it be responsible for verification of trust.
>> Then in case of any vulnerability, the worst that happens is the
>> attacker gaining control over name resolution on the host, rather than
>> gaining full privilege elevation to the privilege level of the process
>> performing the lookup.
> This is what I am proposing, and this is the reason we need the
> additional resolv.conf entry to allow specifying the trusted (for
> dnssec) name server.
IIUC Rich's comment, resolver at 127.0.0.1:53 should be trusted implicitly, without any explicit annotation. But till that time when local validating resolver is ubiquitous, we need some way to explicitly designate trusted resolvers in /etc/resolv.conf. It is likely that such new configuration parameter would eventually remain unused, once we have resolver running at 127.0.0.1:53.