This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled


On 02/23/2015 04:41 PM, Carlos O'Donell wrote:
>>> * The semantics of the DO bit remain roughly the same.
>>
>> That depends what the semantics are.  If “DO” means “DNSSEC OK”, then
>> the semantics did change significantly.  If it means “you can send along
>> random garbage, and I will cope”, semantics remained unchanged.
> 
> Why? The original RFC says simply that the DO bit means "can accept DNSSEC
> security RRs" but says nothing about needing to understand them.

The original RFC probably meant to restrict the effect to the record
types known at the time (SIG and NXT, KEY is not relevant in this
context).  glibc reflected this in its logging decision, the few DNS
implementations which sent the DO bit by default apparently did not,
which is why the flag was reused.

-- 
Florian Weimer / Red Hat Product Security


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]