This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org
- Date: Mon, 23 Feb 2015 10:00:04 -0500
- Subject: Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- Authentication-results: sourceware.org; auth=none
- References: <20150219190506 dot GA20188 at spoyarek dot pnq dot redhat dot com> <54E6EC01 dot 1060906 at redhat dot com> <54E77E75 dot 7050609 at redhat dot com> <54EAFF14 dot 3010203 at redhat dot com>
On 02/23/2015 05:21 AM, Florian Weimer wrote:
>> In all of these cases the use of the DO-bit remains. No further RFC
>> removes the use of the DO-bit from the client side protocol. None
>> that I am aware of.
>
> The DO bit was introduced early because it was noticed that some clients
> would choke on the unknown (to them) resource records sent along with
> DNSSEC responses, so some mechanism was needed to suppress the record to
> enable name resolution for those older implementations.
You wrote earlier in this thread that the DO bit is not related to DNSSEC.
I argue that it *is* related to DNSSEC, and continues to be related.
Am I wrong?
If I am wrong, by what mechanism (if any is required) should the stub
resolver indicate that it is OK to send back DNSSEC RR's? Regardless of
the fact that those RR's are changing as we redefine DNSSEC.
Cheers,
Carlos.