This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- From: Florian Weimer <fweimer at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org
- Date: Mon, 23 Feb 2015 16:03:55 +0100
- Subject: Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- Authentication-results: sourceware.org; auth=none
- References: <20150219190506 dot GA20188 at spoyarek dot pnq dot redhat dot com> <54E6EC01 dot 1060906 at redhat dot com> <54E77E75 dot 7050609 at redhat dot com> <54EAFF14 dot 3010203 at redhat dot com> <54EB4074 dot 9080406 at redhat dot com>
On 02/23/2015 04:00 PM, Carlos O'Donell wrote:
> On 02/23/2015 05:21 AM, Florian Weimer wrote:
>>> In all of these cases the use of the DO-bit remains. No further RFC
>>> removes the use of the DO-bit from the client side protocol. None
>>> that I am aware of.
>>
>> The DO bit was introduced early because it was noticed that some clients
>> would choke on the unknown (to them) resource records sent along with
>> DNSSEC responses, so some mechanism was needed to suppress the record to
>> enable name resolution for those older implementations.
>
> You wrote earlier in this thread that the DO bit is not related to DNSSEC.
>
> I argue that it *is* related to DNSSEC, and continues to be related.
>
> Am I wrong?
It was introduced to a specific failure case spotted with the first
installment of DNSSEC.
But the same bit was reused for the second installment of DNSSEC, which
was totally unrecognizable to implementations of the earlier DNSSEC
variant. From their point of view, it could have been something else
entirely, they wouldn't know that it was still called DNSSEC.
DO is generally thought of as “DNSSEC supported”, so you are right, but
in practice, it just means, “you can send me properly formatted resource
records along with the answer which bear no relationship to the query,
and I will still pick out those records I'm interested in”.
--
Florian Weimer / Red Hat Product Security