This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- From: Rich Felker <dalias at libc dot org>
- To: Petr Spacek <pspacek at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Fri, 20 Jun 2014 09:45:54 -0400
- Subject: Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- Authentication-results: sourceware.org; auth=none
- References: <535E41F5 dot 5020109 at redhat dot com> <loom dot 20140612T135904-448 at post dot gmane dot org> <20140612160823 dot E308B2C39C1 at topped-with-meat dot com> <1402659130 dot 6191 dot 52 dot camel at dhcp-2-127 dot brq dot redhat dot com> <53A3EF1E dot 2070909 at redhat dot com>
On Fri, Jun 20, 2014 at 10:21:50AM +0200, Petr Spacek wrote:
> On 13.6.2014 13:32, Nikos Mavrogiannopoulos wrote:
> >On Thu, 2014-06-12 at 09:08 -0700, Roland McGrath wrote:
> >>Are there other systems with DNSSEC support built in?
> >>What syntax do they use for resolv.conf?
> >
> >I'm not aware of any system with dnssec built-in on libc and the ones I
> >know I don't think they distinguish between trusted and non-trusted name
> >servers. As it is now applications use external libraries for the dnssec
> >operations (e.g., libunbound, or APIs like [0,1]), and these libraries
> >have their own configuration, rather than rely on resolv.conf.
> >
> >regards,
> >Nikos
> >
> >
> >[0].
> >http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09
> >[1]. http://www.vpnc.org/getdns-api/
>
> I looked into it a bit it seems that neither from latest versions of
> (FreeBSD, OpenBSD, NetBSD) has support for DNSSEC as described in
> this thread.
>
> From those three, only OpenBSD supports RES_USE_DNSSEC flag but I
> didn't find any means for declaring name servers as trusted or
> untrusted.
>
> It seems we are first so we can define a new configuration
> option/format for this purpose.
>
> Also, Nikos found out [1] that sometimes VPNs and DHCP clients
> overwrite /etc/resolv.conf completely so any new option will be
> lost.
>
> Is it a good enough reason to create new file, let's say
> /etc/resolv-sec.conf for the purpose of declaring name servers as
> trusted?
I don't think so. Rather this issue would be a good impetus for
getting such broken DHCP clients fixed. If the user wants resolv.conf
updated for the DHCP-provided nameservers, this should be done via a
callback script that can merge in other static settings, not direct
overwriting. Note that there are already other options that suffer
from this overwriting issue (e.g. domain/search, options, etc.) so
making a new config file just for the DNSSEC options is a band-aid not
a proper fix.
Rich