This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled

On 02/19/2015 08:05 PM, Siddhesh Poyarekar wrote:
> DNAME records are a convenient way to set up RRSIG for an entire 
> subtree of a domain name tree instead of signing each of those 
> records.  Querying on such domains result in messages about a
> mismatch in the query type and returned record type.  This patch
> disables the logging of this message for DNAME records if the DO
> bit is set.

Can we remove the logging altogether?  Or at least for the

The DO bit essentially means, “I'm fine with receiving unknown RR
types”, it's not really related to DNSSEC.  The reason for that is the
fact that the DNSSEC protocol was changed twice (once for DNSSECbis,
which is completely unrecognizable to the previous implementation, and
once for NSEC3), and the flag was reused.

So unless there is a compelling reason for logging this information,
I'd say just remove it.

Florian Weimer / Red Hat Product Security

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]