On Thu, Feb 27, 2014 at 09:44:01PM +0100, Petr Spacek wrote:
>>If we release a z-stream or y-stream glibc that inverts the definition
>>of `nameserver' from trusted to untrusted (doesn't use EDNS0+DO for
>>a query, and clears the AD bit) then applications in such a configuration
>>as described above that rely on the AD bit forwarding may cease to
>>function correctly.
A feature IMHO. Document the change, and tell administrators how
to mark the resolver list trusted. Enhance NetworkManager to be
able to write trusted resolv.conf files when the DNS server list
comes from a secure source.
>>That is why I do not want to change the existing meaning of `nameserver'
>>and why we should not change any of the existing meanings of entries in
>>/etc/resolv.conf. Thus for compatibility I suggest adding a new option
>>`untrusted' for use by such applications as NetworkManager to put
>>untrusted DNS server (acquired from untrusted DHCP results) into.
This fails open. Given the dearth of DNSSEC applications that rely
on the AD bit, this is I think the right time to get the right
semantics.
No changes are required in end-applications, just system configuration
management, this is an easy problem that should be addressed.
Marking /etc/resolv.conf explicitly untrusted, in every case where
it is not, is I think too fragile.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
