On Wed, Feb 26, 2014 at 05:24:37PM +0000, Tony Finch wrote:
> > A) strip the AD bit in struct addrinfo for "untrusted nameservers". A new
> > configuration mechanism will allow white-listing nameservers and
> > 127.0.0.1
> > will always be on the whitelist.
>
> That sounds like a fair plan.
It is in fact problematic if both 127.0.0.1 and another nameserver
are listed. The correct semantics of that are hard to define. It
makes more sense to define a boolean primitive that marks all the
nameservers collectively as either trusted or not.
> Question: along with this change are you planning to change the resolver
> to set the AD flag in queries when the nameserver is known to be safe?
>
> Usually the AD flag only appears in responses if the query had the AD or
> DO flags set. DO is a bit wasteful for clients that only care about the AD
> bit. However the only DNSSEC switch that libc resolvers currently have is
> options edns0 (which implies DO).
The RES_USE_DNSSEC flag turns on the "DO" bit. I would be surprised
if RES_USE_EDNS0 enabled "DO". As for setting the "AD" bit in the
request automatically, it probably should still require an explicit
indication of interest from the application or be set via a default
option value /etc/resolv.conf.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
