This is the mail archive of the
mailing list for the glibc project.
Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- From: Petr Spacek <pspacek at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Fri, 20 Jun 2014 10:21:50 +0200
- Subject: Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- Authentication-results: sourceware.org; auth=none
- References: <535E41F5 dot 5020109 at redhat dot com> <loom dot 20140612T135904-448 at post dot gmane dot org> <20140612160823 dot E308B2C39C1 at topped-with-meat dot com> <1402659130 dot 6191 dot 52 dot camel at dhcp-2-127 dot brq dot redhat dot com>
On 13.6.2014 13:32, Nikos Mavrogiannopoulos wrote:
On Thu, 2014-06-12 at 09:08 -0700, Roland McGrath wrote:
Are there other systems with DNSSEC support built in?
What syntax do they use for resolv.conf?
I'm not aware of any system with dnssec built-in on libc and the ones I
know I don't think they distinguish between trusted and non-trusted name
servers. As it is now applications use external libraries for the dnssec
operations (e.g., libunbound, or APIs like [0,1]), and these libraries
have their own configuration, rather than rely on resolv.conf.
I looked into it a bit it seems that neither from latest versions of (FreeBSD,
OpenBSD, NetBSD) has support for DNSSEC as described in this thread.
From those three, only OpenBSD supports RES_USE_DNSSEC flag but I didn't find
any means for declaring name servers as trusted or untrusted.
It seems we are first so we can define a new configuration option/format for
Also, Nikos found out  that sometimes VPNs and DHCP clients overwrite
/etc/resolv.conf completely so any new option will be lost.
Is it a good enough reason to create new file, let's say /etc/resolv-sec.conf
for the purpose of declaring name servers as trusted?
Obvious advantage is that we could re-use existing file-parsing code :-)
You can see proof-of-concept implementation for c-ares resolver library on:
I would be really glad if we could cooperate with other libraries to prevent
us from being mutually incompatible.
So the most important question - is a new file acceptable? Do you have some
better for it?
Have a nice day!
Petr Spacek @ Red Hat