This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- From: Florian Weimer <fweimer at redhat dot com>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org
- Cc: carlos at redhat dot com
- Date: Fri, 20 Feb 2015 09:10:41 +0100
- Subject: Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- Authentication-results: sourceware.org; auth=none
- References: <20150219190506 dot GA20188 at spoyarek dot pnq dot redhat dot com>
On 02/19/2015 08:05 PM, Siddhesh Poyarekar wrote:
> DNAME records are a convenient way to set up RRSIG for an entire
> subtree of a domain name tree instead of signing each of those
> records. Querying on such domains result in messages about a
> mismatch in the query type and returned record type. This patch
> disables the logging of this message for DNAME records if the DO
> bit is set.
Can we remove the logging altogether? Or at least for the
The DO bit essentially means, “I'm fine with receiving unknown RR
types”, it's not really related to DNSSEC. The reason for that is the
fact that the DNSSEC protocol was changed twice (once for DNSSECbis,
which is completely unrecognizable to the previous implementation, and
once for NSEC3), and the flag was reused.
So unless there is a compelling reason for logging this information,
I'd say just remove it.
Florian Weimer / Red Hat Product Security