This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

EDNS0 / DO support in resolver


Hi,

it seems that the resolver in glibc does not support the EDNS0 extension specified in RFC2761. This makes it unsuitable for use with DNSSEC applications that use the Authentic Data ("AD") bit in the DNS response to verify data authenticity.

According to RFC3655: "The AD bit MUST only be set if DNSSEC records have been requested via the DO bit [RFC3225] and relevant SIG records are returned." RFC3225 specifies that the DO bit is set in the EDNS0 header.

A real-world application that demonstrates the problem is openssh. It has the possiblity to verify SSH fingerprints using SSHFP RRs. It will accept these records only if the data is authentic, implied by the AD being set on the response. But when using the resolver in glibc, no DO bit is sent and hence no AD bits are returned. This means that openssh is unable to verify key fingerprints.

As a workaround one can compile openssh with the resolver library shipped with bind. I tried 9.3.2 myself and it worked (note: you need to set the "edns0" option in /etc/resolv.conf as well). However, in the long term I think that glibc should implement this natively. Maybe this is as easy as re-syncing the resolver in glibc (which seems to have originated from bind) against the latest upstream?

Regards, Geert


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]