This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Update to DNSSEC design document.


This is not for 2.23, but I wanted to mention this update:

https://sourceware.org/glibc/wiki/DNSSEC

I have spent significant amounts of time with the Fedora
and RHEL distribution teams talking about potential solutions.

The most relevant change is that in order to support truly
fail-safe configurations we're going to suggest the solution
clean the AD-bit in responses by default, with the distribution
being in charge to setup a validating resolver configuration
(various distribution-level choices including a fixed nscd) after
which an option is set in /etc/resolv.conf. From that point on
the AD-bit is forwarded to applications. This makes creating a
fail-safe configuration very flexible and distributions can
choose exactly how they accomplish ensuring there is trust for
the entries in /etc/resolv.conf.

I believe I have a conversation thread with Zack Weinberg that
I still have to finish.

Cheers,
Carlos.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]