Re: DNSSEC support in c-ares-1.18.1
Sure Daniel. Regards Anant On Tue, 18 Jan 2022 at 03:06, Daniel Stenberg wrote: > On Mon, 17 Jan 2022, Anant via c-ares wrote: > > > Thanks Brad and Cristian for confirming. If I understand correctly, as > of > > now there is no plan to add DNSSEC in C-ares in future too. > > c-ares is a true open source project where development done is distributed > and > done by those who wants to see things done. > > If you want DNSSEC support in c-ares, then please go ahead and work on it. > Explain what components/functions you would need for it at a minimum and > maybe > you can drive up some interest and cooperation from others! > > (Said as a total DNSSEC rookie) > > -- > > / daniel.haxx.se > -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares
Re: DNSSEC support in c-ares-1.18.1
On Mon, 17 Jan 2022, Anant via c-ares wrote: Thanks Brad and Cristian for confirming. If I understand correctly, as of now there is no plan to add DNSSEC in C-ares in future too. c-ares is a true open source project where development done is distributed and done by those who wants to see things done. If you want DNSSEC support in c-ares, then please go ahead and work on it. Explain what components/functions you would need for it at a minimum and maybe you can drive up some interest and cooperation from others! (Said as a total DNSSEC rookie) -- / daniel.haxx.se -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares
Re: DNSSEC support in c-ares-1.18.1
Thanks Brad and Cristian for confirming. If I understand correctly, as of now there is no plan to add DNSSEC in C-ares in future too. Regards Anant On Fri, 14 Jan 2022 at 03:26, Cristian Rodríguez wrote: > DNSSEC has abysmal adoption rate.. adding more and more code to deal > with it is not going to get it better, in fact will add more bugs and > quirks to be aware of. > > it is better that you let your dns server do the job for you. > > > On Thu, Jan 13, 2022 at 2:45 PM Anant via c-ares > wrote: > > > > Thanks Brad! appreciate the quick response. > > > > Our query was in the context of a "Security-Aware Resolver" using > C-ares. We were wondering if something similar to what "bind" provides is > there in C-ares too. > > > > I see that there are some relevant changes in ares_nameser.h but do not > see anything relevant while creating queries/parsing answers. > > > > Is C-ares not intended to be used by "Security-Aware Resolvers"? > > > > Regards > > Anant > > > > > > On Thu, 13 Jan 2022 at 22:07, Brad House via c-ares < > c-ares@lists.haxx.se> wrote: > >> > >> DNSSEC verification is the responsibility of the DNS server, and not of > the client side. The DNS server the client connects to performs the actual > recursive lookups and performs the DNSSEC validation, so yes, you need to > make sure the DNS server you are using is trusted. > >> > >> On 1/13/22 8:11 AM, Anant via c-ares wrote: > >> > >> Hi, > >> > >> Do we have support for DNSSEC in 1.18.1? > >> > >> I am exploring the src and see that there are some relevant changes in > header files but I do not see that in query and answer handling. > >> Regards > >> Anant > >> > >> > >> -- > >> c-ares mailing list > >> c-ares@lists.haxx.se > >> https://lists.haxx.se/listinfo/c-ares > > > > -- > > c-ares mailing list > > c-ares@lists.haxx.se > > https://lists.haxx.se/listinfo/c-ares > -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares
Re: DNSSEC support in c-ares-1.18.1
DNSSEC has abysmal adoption rate.. adding more and more code to deal with it is not going to get it better, in fact will add more bugs and quirks to be aware of. it is better that you let your dns server do the job for you. On Thu, Jan 13, 2022 at 2:45 PM Anant via c-ares wrote: > > Thanks Brad! appreciate the quick response. > > Our query was in the context of a "Security-Aware Resolver" using C-ares. We > were wondering if something similar to what "bind" provides is there in > C-ares too. > > I see that there are some relevant changes in ares_nameser.h but do not see > anything relevant while creating queries/parsing answers. > > Is C-ares not intended to be used by "Security-Aware Resolvers"? > > Regards > Anant > > > On Thu, 13 Jan 2022 at 22:07, Brad House via c-ares > wrote: >> >> DNSSEC verification is the responsibility of the DNS server, and not of the >> client side. The DNS server the client connects to performs the actual >> recursive lookups and performs the DNSSEC validation, so yes, you need to >> make sure the DNS server you are using is trusted. >> >> On 1/13/22 8:11 AM, Anant via c-ares wrote: >> >> Hi, >> >> Do we have support for DNSSEC in 1.18.1? >> >> I am exploring the src and see that there are some relevant changes in >> header files but I do not see that in query and answer handling. >> Regards >> Anant >> >> >> -- >> c-ares mailing list >> c-ares@lists.haxx.se >> https://lists.haxx.se/listinfo/c-ares > > -- > c-ares mailing list > c-ares@lists.haxx.se > https://lists.haxx.se/listinfo/c-ares -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares
Re: DNSSEC support in c-ares-1.18.1
C-ares does not have the capability to perform DNSSEC validation on its own. On 1/13/22 12:44 PM, Anant wrote: Thanks Brad! appreciate the quick response. Our query was in the context of a "Security-Aware Resolver" using C-ares. We were wondering if something similar to what "bind" provides is there in C-ares too. I see that there are some relevant changes in ares_nameser.h but do not see anything relevant while creating queries/parsing answers. Is C-ares not intended to be used by "Security-Aware Resolvers"? Regards Anant On Thu, 13 Jan 2022 at 22:07, Brad House via c-ares wrote: DNSSEC verification is the responsibility of the DNS server, and not of the client side. The DNS server the client connects to performs the actual recursive lookups and performs the DNSSEC validation, so yes, you need to make sure the DNS server you are using is trusted. On 1/13/22 8:11 AM, Anant via c-ares wrote: Hi, Do we have support for DNSSEC in 1.18.1? Iam exploring the src and see that there are some relevant changes in header files but I do not see that in query and answer handling. Regards Anant -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares
Re: DNSSEC support in c-ares-1.18.1
Thanks Brad! appreciate the quick response. Our query was in the context of a "Security-Aware Resolver" using C-ares. We were wondering if something similar to what "bind" provides is there in C-ares too. I see that there are some relevant changes in ares_nameser.h but do not see anything relevant while creating queries/parsing answers. Is C-ares not intended to be used by "Security-Aware Resolvers"? Regards Anant On Thu, 13 Jan 2022 at 22:07, Brad House via c-ares wrote: > DNSSEC verification is the responsibility of the DNS server, and not of > the client side. The DNS server the client connects to performs the actual > recursive lookups and performs the DNSSEC validation, so yes, you need to > make sure the DNS server you are using is trusted. > > On 1/13/22 8:11 AM, Anant via c-ares wrote: > > Hi, > > Do we have support for DNSSEC in 1.18.1? > > I am exploring the src and see that there are some relevant changes in > header files but I do not see that in query and answer handling. > Regards > Anant > > > -- > c-ares mailing list > c-ares@lists.haxx.se > https://lists.haxx.se/listinfo/c-ares > -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares
Re: DNSSEC support in c-ares-1.18.1
DNSSEC verification is the responsibility of the DNS server, and not of the client side. The DNS server the client connects to performs the actual recursive lookups and performs the DNSSEC validation, so yes, you need to make sure the DNS server you are using is trusted. On 1/13/22 8:11 AM, Anant via c-ares wrote: Hi, Do we have support for DNSSEC in 1.18.1? Iam exploring the src and see that there are some relevant changes in header files but I do not see that in query and answer handling. Regards Anant -- c-ares mailing list c-ares@lists.haxx.se https://lists.haxx.se/listinfo/c-ares