This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled

From: "Carlos O'Donell" <carlos at redhat dot com>
To: Florian Weimer <fweimer at redhat dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, libc-alpha at sourceware dot org
Date: Mon, 23 Feb 2015 10:47:47 -0500
Subject: Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
Authentication-results: sourceware.org; auth=none
References: <20150219190506 dot GA20188 at spoyarek dot pnq dot redhat dot com> <54E6EC01 dot 1060906 at redhat dot com> <54E77E75 dot 7050609 at redhat dot com> <54EAFF14 dot 3010203 at redhat dot com> <54EB4074 dot 9080406 at redhat dot com> <54EB415B dot 50303 at redhat dot com> <54EB4781 dot 5090109 at redhat dot com> <54EB48E3 dot 7070606 at redhat dot com> <54EB4A12 dot 4060001 at redhat dot com> <54EB4AF9 dot 7080708 at redhat dot com>

On 02/23/2015 10:44 AM, Florian Weimer wrote:
> On 02/23/2015 04:41 PM, Carlos O'Donell wrote:
>>>> * The semantics of the DO bit remain roughly the same.
>>>
>>> That depends what the semantics are.  If “DO” means “DNSSEC OK”, then
>>> the semantics did change significantly.  If it means “you can send along
>>> random garbage, and I will cope”, semantics remained unchanged.
>>
>> Why? The original RFC says simply that the DO bit means "can accept DNSSEC
>> security RRs" but says nothing about needing to understand them.
> 
> The original RFC probably meant to restrict the effect to the record
> types known at the time (SIG and NXT, KEY is not relevant in this
> context).  glibc reflected this in its logging decision, the few DNS
> implementations which sent the DO bit by default apparently did not,
> which is why the flag was reused.

OK, we are on the same page. Thanks. We will continue to use the DO bit
to mean "We are OK with receiving additional unrelated records 
and will attempt to parse them to the best of our ability, or ignore
them." Which is all you can do if you don't understand the new RRs.

Cheers,
Carlos.

References:
- [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Siddhesh Poyarekar
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Florian Weimer
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Carlos O'Donell
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Florian Weimer
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Carlos O'Donell
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Florian Weimer
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Carlos O'Donell
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Florian Weimer
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Carlos O'Donell
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]