This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Building consensus over DNSSEC enhancements to glibc.

From: "Carlos O'Donell" <carlos at redhat dot com>
To: Zack Weinberg <zackw at panix dot com>, libc-alpha at sourceware dot org
Date: Fri, 13 Nov 2015 23:38:01 -0500
Subject: Re: Building consensus over DNSSEC enhancements to glibc.
Authentication-results: sourceware.org; auth=none
References: <563A6E40 dot 9040508 at redhat dot com> <56429E2A dot 7050208 at panix dot com>

On 11/10/2015 08:47 PM, Zack Weinberg wrote:
> On 11/04/2015 03:44 PM, Carlos O'Donell wrote:
>> Community,
>>
>> I have written up a summary of the mailing list discussions
>> surrounding DNSSEC and the enhancements required to better
>> support it in glibc.
>>
>> https://sourceware.org/glibc/wiki/DNSSEC
>>
>> Any thoughts or comments would be much appreciated.
> 
> (I am not a DNS nerd, but I *am* a security nerd.)
> 
> The conversation so far has convinced me of something I've suspected for
> a while: The nameservers configured in /etc/resolv.conf *cannot* be
> trusted - not even 127.0.0.1.  The only approach that seems viable to me
> is to scrap the idea of outsourcing DNSSEC validation to a local DNS server.

Could you expand on this a bit?

How is outsourcing to a local validating resolver different from outsourcing
to nscd?

Cheers,
Carlos.

Follow-Ups:
- Re: Building consensus over DNSSEC enhancements to glibc.
  - From: Zack Weinberg

References:
- Building consensus over DNSSEC enhancements to glibc.
  - From: Carlos O'Donell
- Re: Building consensus over DNSSEC enhancements to glibc.
  - From: Zack Weinberg

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]