This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Building consensus over DNSSEC enhancements to glibc.


On 11/07/2015 07:32 PM, Rich Felker wrote:
> On Sat, Nov 07, 2015 at 08:37:17AM +0900, Paul Wouters wrote:
>> On 11/07/2015 03:28 AM, Rich Felker wrote:
>>
>>> On a system configured with DNSSEC you do not allow resolv.conf to be
>>> changed by dhcp clients. Doing so is a bug.
>>
>> Life is more complicated than that. That's why things like
>> dnssec-trigger exist to begin with.
>>
>> 1) Blocked port 53 except to local resolver
>> 2) hotspots
>> 3) transparent redirection to non-dnssec resolver
>>
>> Additionally, we are seeing more initiatives in the DPRIVE working
>> group to work on dns privacy, so more and more we will see people
>> who don't want to use the local resolvers for anything else but
>> portal negotiation. Which is a good thing I think.
> 
> "Local resolver" means 127.0.0.1:53 to me. Not a resolver on the local
> network (e.g. ISP provided). Perhaps there's a discrepency in our
> usage of the term that's leading to misunderstanding here. Any
> problems that can possibly arise can be handled by always using
> 127.0.0.1:53 and passing off the responsibility for whatever complex
> behaviors are needed to the process bound to this port. That includes
> dns privacy.

Agreed.

c.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]