This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: Paul Wouters <pwouters at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>, Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Cc: Simo Sorce <simo at redhat dot com>
- Date: Mon, 16 Nov 2015 18:40:24 +0900
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <563A6E40 dot 9040508 at redhat dot com> <20151105012328 dot GU8645 at brightrain dot aerifal dot cx> <563C760E dot 4060107 at redhat dot com> <5646B713 dot 2050302 at redhat dot com>
On 11/14/2015 01:22 PM, Carlos O'Donell wrote:
> On 11/06/2015 04:42 AM, Petr Spacek wrote:
>> The proposed AD bit stripping was an easy and cheap way to do this at one
>> place in the system, with central configuration, which would allow us to
>> eliminate all kinds of weird re-implementations in applications.
>
> You have it.
>
> Use `options dns-strip-dnssec-ad-bit` until you have NetworkManager running
> with the right options and a local validating resolver.
>
> I agree with Rich Felker. You must not allow anything to change /etc/resolv.conf
> that isn't the master process (e.g. resolvconf in Ubuntu) which is in charge of
> policy.
That is not a realistic policy. If such a policy resulted in workable systems, we would
have selinuxed the shit out of /etc/resolv.conf to make sure no one could ever edit it.
People too often depend on other processes (vpn clients, puppet, ansible and what not) that
requires them (for stupid reasons we will keep telling them to fix) to change resolv.conf.
Paul