This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]

Petr Spacek <pspacek <at>> writes:
> Configuration
> =============

 I'm working on an extension of a DNS library for DNSSEC, and knowing which
format will be used (or is planned to be used) by glibc in resolv.conf for
dnssec queries would really help. In few words, the issue is that although
typically the trusted resolver would be the "localhost" resolver, there are
several cases where that is not possible, and a non-localhost IP needs to be
specified. Thus resolv.conf needs to be extended with a way to specify the
trusted server(s).

> 1) Extend nameserver line in /etc/resolv.conf
> nameserver trusted=true
> nameserver # default is trusted=false
> I'm afraid that this will not work. I expect many programs parsing 
> /etc/resolv.conf and expecting the "classical" format ...
> 2) Put per-resolver configuration to a separate (optional!) file
> E.g. /etc/resolv.ext (propose your own name)
> nameserver trusted=true
> It seems a bit weird but maybe it is the cleanest option we have...

That is unfortunately not backwards compatible, meaning that old
applications that parse /etc/resolv.conf by themselves will fail.

> 3) Extend option syntax in /etc/resolv.conf
> options trusted:
> I have no idea how in/compatible this change can be.
> 4) Add a new verb to /etc/resolv.conf
> trusted-nameservers 2001:DB8::1234

I think the simplest is trusted-nameserver That is because it
is backwards compatible (an old parser will still work), and the logic of
parsing remains the same, thus applications can re-use the same code.

What are the opinions of the libc developers on that?


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]