This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- From: Nikos Mavrogiannopoulos <nmav at redhat dot com>
- To: P J P <pj dot pandit at yahoo dot co dot in>
- Cc: "libc-alpha at sourceware dot org" <libc-alpha at sourceware dot org>
- Date: Tue, 17 Jun 2014 09:47:23 +0200
- Subject: Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
- Authentication-results: sourceware.org; auth=none
- References: <535E41F5 dot 5020109 at redhat dot com> <loom dot 20140612T135904-448 at post dot gmane dot org> <20140612160823 dot E308B2C39C1 at topped-with-meat dot com> <1402659130 dot 6191 dot 52 dot camel at dhcp-2-127 dot brq dot redhat dot com> <20140613163110 dot GB179 at brightrain dot aerifal dot cx> <1402902619 dot 2357 dot 1 dot camel at dhcp-2-127 dot brq dot redhat dot com> <1402987618 dot 99362 dot YahooMailNeo at web192402 dot mail dot sg3 dot yahoo dot com>
On Tue, 2014-06-17 at 14:46 +0800, P J P wrote:
> > This is what I am proposing, and this is the reason we need the
> > additional resolv.conf entry to allow specifying the trusted (for
> > dnssec) name server.
> IIUC Rich's
> comment, resolver at 127.0.0.1:53 should be trusted implicitly,
without
> any explicit annotation. But till that time when local validating
> resolver is ubiquitous, we need some way to explicitly designate
> trusted resolvers in /etc/resolv.conf. It is likely that such new
> configuration parameter would eventually remain unused, once we have
> resolver running at 127.0.0.1:53.
There are two issues:
1. As an application author you don't know whether the localhost
resolver on an arbitrary user is trusted for dnssec or not (it may be an
old resolver that simply copies the AD bit without any check). The
administrator of the system though, he knows and he can explicitly mark
it as so.
2. That would actually mean that virtual hosts (qemu,docker) within a
host cannot use the host's resolver (and cache) and have to implement
resolving by their own. In most of the cases (especially in docker
images) this is undesirable as you want to minimize the resources in the
container.
For these cases, we need an explicit way to specify the trusted dnssec
for a host. Whether it is within resolv.conf or in another file, is not
of importance. Of importance is to agree on some method, and if glibc
decides on one, the others will follow.
regards,
Nikos