This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]

On 13.6.2014 13:32, Nikos Mavrogiannopoulos wrote:
On Thu, 2014-06-12 at 09:08 -0700, Roland McGrath wrote:
Are there other systems with DNSSEC support built in?
What syntax do they use for resolv.conf?

I'm not aware of any system with dnssec built-in on libc and the ones I
know I don't think they distinguish between trusted and non-trusted name
servers. As it is now applications use external libraries for the dnssec
operations (e.g., libunbound, or APIs like [0,1]), and these libraries
have their own configuration, rather than rely on resolv.conf.



I looked into it a bit it seems that neither from latest versions of (FreeBSD, OpenBSD, NetBSD) has support for DNSSEC as described in this thread.

From those three, only OpenBSD supports RES_USE_DNSSEC flag but I didn't find any means for declaring name servers as trusted or untrusted.

It seems we are first so we can define a new configuration option/format for this purpose.

Also, Nikos found out [1] that sometimes VPNs and DHCP clients overwrite /etc/resolv.conf completely so any new option will be lost.

Is it a good enough reason to create new file, let's say /etc/resolv-sec.conf for the purpose of declaring name servers as trusted?

Obvious advantage is that we could re-use existing file-parsing code :-)

You can see proof-of-concept implementation for c-ares resolver library on:

I would be really glad if we could cooperate with other libraries to prevent us from being mutually incompatible.

So the most important question - is a new file acceptable? Do you have some better for it?

Have a nice day!


Petr Spacek  @  Red Hat

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]