This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]

On Tue, 2014-06-17 at 14:46 +0800, P J P wrote:

> > This is what I am proposing, and this is the reason we need the
> > additional resolv.conf entry to allow specifying the trusted (for
> > dnssec) name server.
> IIUC Rich's
> comment, resolver at should be trusted implicitly,
> any explicit annotation. But till that time when local validating
> resolver is ubiquitous, we need some way to explicitly designate
> trusted resolvers in /etc/resolv.conf. It is likely that such new
> configuration parameter would eventually remain unused, once we have
> resolver running at

There are two issues:
1. As an application author you don't know whether the localhost
resolver on an arbitrary user is trusted for dnssec or not (it may be an
old resolver that simply copies the AD bit without any check). The
administrator of the system though, he knows and he can explicitly mark
it as so.
2. That would actually mean that virtual hosts (qemu,docker) within a
host cannot use the host's resolver (and cache) and have to implement
resolving by their own. In most of the cases (especially in docker
images) this is undesirable as you want to minimize the resources in the

For these cases, we need an explicit way to specify the trusted dnssec
for a host. Whether it is within resolv.conf or in another file, is not
of importance. Of importance is to agree on some method, and if glibc
decides on one, the others will follow.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]