This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Cc: Simo Sorce <simo at redhat dot com>, Paul Wouters <pwouters at redhat dot com>
- Date: Fri, 13 Nov 2015 23:22:43 -0500
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <563A6E40 dot 9040508 at redhat dot com> <20151105012328 dot GU8645 at brightrain dot aerifal dot cx> <563C760E dot 4060107 at redhat dot com>
On 11/06/2015 04:42 AM, Petr Spacek wrote:
> The proposed AD bit stripping was an easy and cheap way to do this at one
> place in the system, with central configuration, which would allow us to
> eliminate all kinds of weird re-implementations in applications.
You have it.
Use `options dns-strip-dnssec-ad-bit` until you have NetworkManager running
with the right options and a local validating resolver.
I agree with Rich Felker. You must not allow anything to change /etc/resolv.conf
that isn't the master process (e.g. resolvconf in Ubuntu) which is in charge of
policy.
Cheers,
Carlos.