This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Update to DNSSEC design document.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>, Pavel Simerda <psimerda at redhat dot com>
- Cc: Zack Weinberg <zackw at panix dot com>
- Date: Wed, 27 Jan 2016 12:30:28 -0500
- Subject: Update to DNSSEC design document.
- Authentication-results: sourceware.org; auth=none
This is not for 2.23, but I wanted to mention this update:
https://sourceware.org/glibc/wiki/DNSSEC
I have spent significant amounts of time with the Fedora
and RHEL distribution teams talking about potential solutions.
The most relevant change is that in order to support truly
fail-safe configurations we're going to suggest the solution
clean the AD-bit in responses by default, with the distribution
being in charge to setup a validating resolver configuration
(various distribution-level choices including a fixed nscd) after
which an option is set in /etc/resolv.conf. From that point on
the AD-bit is forwarded to applications. This makes creating a
fail-safe configuration very flexible and distributions can
choose exactly how they accomplish ensuring there is trust for
the entries in /etc/resolv.conf.
I believe I have a conversation thread with Zack Weinberg that
I still have to finish.
Cheers,
Carlos.