On Wed, Feb 26, 2014 at 09:12:20AM -0500, Paul Wouters wrote:
> 4 In the ideal world tomorrow, each host has its own automatically
> configured, perfectly working validing DNS server and resolv.conf can
> be ignored or is always hardcoded with nameserver 127.0.0.1
This is also my ideal world of tomorrow.
> Now for my question. Until we reach 4), what should we do with the AD
> bit in getaddrinfo() ?
I was not aware of any mechanism in getaddrinfo() to communicate
the AD bit? Is this a new getaddrinfo() implementation with features
I've not looked at yet?
Also getaddrinfo() typically uses RES_DEFNAMES and RES_SEARCH,
which make the meaning of any security bit rather ambiguous.
When the input is not a fully-qualified DNS name, what is it
the user has learned to be secure?
What happens when one of the domains on the search list returns
NXDOMAIN (without proof non-existence), but a subsequent suffix
yields a "secure" result?
I am fairly confident that security is rather elusive when the
input name is only partially specified. Lots of ways to get
this wrong.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
