resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]

[Nikos Mavrogiannopoulos <nmav at redhat dot com>]

Petr Spacek <pspacek <at> redhat.com> writes:
> Configuration
> =============
[...]

Hello,
 I'm working on an extension of a DNS library for DNSSEC, and knowing which
format will be used (or is planned to be used) by glibc in resolv.conf for
dnssec queries would really help. In few words, the issue is that although
typically the trusted resolver would be the "localhost" resolver, there are
several cases where that is not possible, and a non-localhost IP needs to be
specified. Thus resolv.conf needs to be extended with a way to specify the
trusted server(s).

> 1) Extend nameserver line in /etc/resolv.conf
> nameserver 127.0.0.1 trusted=true
> nameserver 192.0.2.1 # default is trusted=false
> I'm afraid that this will not work. I expect many programs parsing 
> /etc/resolv.conf and expecting the "classical" format ...
> 2) Put per-resolver configuration to a separate (optional!) file
> E.g. /etc/resolv.ext (propose your own name)
> nameserver 127.0.0.1 trusted=true
> It seems a bit weird but maybe it is the cleanest option we have...

That is unfortunately not backwards compatible, meaning that old
applications that parse /etc/resolv.conf by themselves will fail.

> 3) Extend option syntax in /etc/resolv.conf
> options trusted:127.0.0.1
> I have no idea how in/compatible this change can be.
> 4) Add a new verb to /etc/resolv.conf
> trusted-nameservers 127.0.0.1 192.0.2.1 2001:DB8::1234

I think the simplest is trusted-nameserver 192.168.5.1. That is because it
is backwards compatible (an old parser will still work), and the logic of
parsing remains the same, thus applications can re-use the same code.

What are the opinions of the libc developers on that?

regards,
Nikos