This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: Paul Wouters <pwouters at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>, "Carlos O'Donell" <carlos at redhat dot com>
- Cc: Rich Felker <dalias at libc dot org>, Simo Sorce <simo at redhat dot com>, Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Date: Fri, 20 Nov 2015 10:11:44 +0900
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <563CED63 dot 1070201 at redhat dot com> <20151106182835 dot GC3818 at brightrain dot aerifal dot cx> <563D0953 dot 9020707 at redhat dot com> <56407C19 dot 2080906 at redhat dot com> <20151109180310 dot GO3818 at brightrain dot aerifal dot cx> <5649A3F3 dot 2060309 at redhat dot com> <20151116161642 dot GQ3818 at brightrain dot aerifal dot cx> <564A0FED dot 9010408 at redhat dot com> <20151116181740 dot GS3818 at brightrain dot aerifal dot cx> <564A1E3E dot 5090703 at redhat dot com> <20151116182322 dot GU3818 at brightrain dot aerifal dot cx> <564AB3F9 dot 4020404 at redhat dot com> <564AC146 dot 1040305 at redhat dot com> <564AD51D dot 4040100 at redhat dot com> <564AE333 dot 9090200 at redhat dot com> <564B7A42 dot 6050603 at redhat dot com> <564BD6E6 dot 5040506 at redhat dot com> <564D5CAC dot 6040204 at redhat dot com> <564DDB9C dot 6080606 at redhat dot com>
On 11/19/2015 11:24 PM, Florian Weimer wrote:
> On 11/19/2015 06:22 AM, Carlos O'Donell wrote:
>> Dare I say that systemd-resolved might solve some of this already?
>
> Unfortunately, systemd-resolved caches far too aggressively and will
> poison its cache, even accidentally. Various parties have tried to
> explain this to the upstream developers, but have not succeeded.
Yeah, I ran into similar problems and mostly got back "I wrote avahi so I know DNS".
> systemd-resolved should be safe to run behind a BIND 9 recursive server
> in non-forwarding mode, but not much else (I believe even Unbound is
> unsafe due to its last-resort message handling).
>
> systemd-resolved also does not handle exotic record types, I think, it
> is more an NSS-level solution than a libresolv-level solution.
>
> (An earlier attempt in this direction is lwresd, which is part of BIND 9.)
libreswan (well, openswan) used to support lwresd but we replaced it with libunbound.
I'm not sure if ISC still supports it or actively maintains it.
Paul