On Thu, Feb 27, 2014 at 12:01:44PM -0500, Paul Wouters wrote:
> This has the same effect as stripping out forged AD bits, except real AD
> bits survive. It uses whatever nameservers the system has in
> /etc/resolv.conf. It supports overrides in /etc/hosts. It does not
> require glibc modification. It does not require various applications
> read new keywords in resolv.conf or new config files. It has no race
> conditions. It's a great band-aid until "tomorrow".
Oddly enough, unrelated to this thread, someone asked me today
whether there exist stub resolver libraries that can be configured
to trust AD=1, but *otherwise* perform local validation when AD=0.
Perhaps the local recursor is non-validating, or Petr's idea is
implemented and the AD bit is suppressed. Either way, the application
can recover at the cost of performing internal verification, but only
when "necessary".
Anyone know of a library that can support this mode of operation?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
