This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: Paul Wouters <pwouters at redhat dot com>
- To: Rich Felker <dalias at libc dot org>
- Cc: "Carlos O'Donell" <carlos at redhat dot com>, Simo Sorce <simo at redhat dot com>, Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Date: Wed, 18 Nov 2015 11:56:59 +0900
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <564A1E3E dot 5090703 at redhat dot com> <20151116182322 dot GU3818 at brightrain dot aerifal dot cx> <564AB3F9 dot 4020404 at redhat dot com> <564AC146 dot 1040305 at redhat dot com> <564AD51D dot 4040100 at redhat dot com> <564AE333 dot 9090200 at redhat dot com> <564B7A42 dot 6050603 at redhat dot com> <564BD6E6 dot 5040506 at redhat dot com> <20151118020428 dot GJ3818 at brightrain dot aerifal dot cx> <564BE225 dot 2060900 at redhat dot com> <20151118023530 dot GK3818 at brightrain dot aerifal dot cx>
On 11/18/2015 11:35 AM, Rich Felker wrote:
> The smarter approach is to just always treat all networks as
> untrusted. Even if they're intended to be trusted, trusting them in
> ways you don't need to greatly expands the impact of any compromise.
> Do you really want a compromised host somewhere on your network (which
> is able to do arp poisoning and thereby fake dns results) to be able
> to make you accept a forged certificate via forged TLSA results? You
> can still use a centralized cache on your network but do the actual
> signature verifications on the endpoint.
Yes, but the distinction between hosts and network is rather flexible these days. A container or VM with just a database in it should not need dns resolver.
If you run 1000 VM's on a host, you want to use the host as DNS server instead of running 1000 DNS servers.
Applications that would still wish to do validation themselves can do so. And my draft is supposed to make that easier by using a single query and a throwaway
cache: https://tools.ietf.org/html/draft-ietf-dnsop-edns-chain-query-05
Paul