This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- From: Florian Weimer <fweimer at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org
- Date: Mon, 23 Feb 2015 16:44:57 +0100
- Subject: Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- Authentication-results: sourceware.org; auth=none
- References: <20150219190506 dot GA20188 at spoyarek dot pnq dot redhat dot com> <54E6EC01 dot 1060906 at redhat dot com> <54E77E75 dot 7050609 at redhat dot com> <54EAFF14 dot 3010203 at redhat dot com> <54EB4074 dot 9080406 at redhat dot com> <54EB415B dot 50303 at redhat dot com> <54EB4781 dot 5090109 at redhat dot com> <54EB48E3 dot 7070606 at redhat dot com> <54EB4A12 dot 4060001 at redhat dot com>
On 02/23/2015 04:41 PM, Carlos O'Donell wrote:
>>> * The semantics of the DO bit remain roughly the same.
>>
>> That depends what the semantics are. If “DO” means “DNSSEC OK”, then
>> the semantics did change significantly. If it means “you can send along
>> random garbage, and I will cope”, semantics remained unchanged.
>
> Why? The original RFC says simply that the DO bit means "can accept DNSSEC
> security RRs" but says nothing about needing to understand them.
The original RFC probably meant to restrict the effect to the record
types known at the time (SIG and NXT, KEY is not relevant in this
context). glibc reflected this in its logging decision, the few DNS
implementations which sent the DO bit by default apparently did not,
which is why the flag was reused.
--
Florian Weimer / Red Hat Product Security