This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: Paul Wouters <pwouters at redhat dot com>
- To: Rich Felker <dalias at libc dot org>, Simo Sorce <simo at redhat dot com>
- Cc: Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Date: Sat, 7 Nov 2015 08:37:17 +0900
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <563A6E40 dot 9040508 at redhat dot com> <20151105012328 dot GU8645 at brightrain dot aerifal dot cx> <563C760E dot 4060107 at redhat dot com> <20151106175956 dot GA3818 at brightrain dot aerifal dot cx> <563CED63 dot 1070201 at redhat dot com> <20151106182835 dot GC3818 at brightrain dot aerifal dot cx>
On 11/07/2015 03:28 AM, Rich Felker wrote:
> On a system configured with DNSSEC you do not allow resolv.conf to be
> changed by dhcp clients. Doing so is a bug.
Life is more complicated than that. That's why things like dnssec-trigger exist to begin with.
1) Blocked port 53 except to local resolver
2) hotspots
3) transparent redirection to non-dnssec resolver
Additionally, we are seeing more initiatives in the DPRIVE working group to work on dns privacy, so more and more
we will see people who don't want to use the local resolvers for anything else but portal negotiation. Which is
a good thing I think.
Paul