This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]

From: P J P <pj dot pandit at yahoo dot co dot in>
To: "libc-alpha at sourceware dot org" <libc-alpha at sourceware dot org>
Date: Tue, 17 Jun 2014 14:46:58 +0800
Subject: Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
Authentication-results: sourceware.org; auth=none
References: <535E41F5 dot 5020109 at redhat dot com> <loom dot 20140612T135904-448 at post dot gmane dot org> <20140612160823 dot E308B2C39C1 at topped-with-meat dot com> <1402659130 dot 6191 dot 52 dot camel at dhcp-2-127 dot brq dot redhat dot com> <20140613163110 dot GB179 at brightrain dot aerifal dot cx> <1402902619 dot 2357 dot 1 dot camel at dhcp-2-127 dot brq dot redhat dot com>
Reply-to: P J P <pj dot pandit at yahoo dot co dot in>

> On Monday, 16 June 2014 12:40 PM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:

>> On Fri, 2014-06-13 at 12:31 -0400, Rich Felker wrote:
>> IMO the right way to do DNSSEC is to run a nameserver (recursive or
>> just caching) on localhost, list it as the only nameserver in
>> resolv.conf, and have it be responsible for verification of trust.
>> Then in case of any vulnerability, the worst that happens is the
>> attacker gaining control over name resolution on the host, rather than
>> gaining full privilege elevation to the privilege level of the process
>> performing the lookup.
> 
> This is what I am proposing, and this is the reason we need the
> additional resolv.conf entry to allow specifying the trusted (for
> dnssec) name server.

  IIUC Rich's comment, resolver at 127.0.0.1:53 should be trusted implicitly, without any explicit annotation. But till that time when local validating resolver is ubiquitous, we need some way to explicitly designate trusted resolvers in /etc/resolv.conf. It is likely that such new configuration parameter would eventually remain unused, once we have resolver running at 127.0.0.1:53.

---
Regards
   -Prasad
http://feedmug.com

Follow-Ups:
- Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
  - From: Nikos Mavrogiannopoulos

References:
- resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
  - From: Nikos Mavrogiannopoulos
- Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
  - From: Roland McGrath
- Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
  - From: Nikos Mavrogiannopoulos
- Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
  - From: Rich Felker
- Re: resolv.conf format for DNSSEC [was: DNSSEC support in stub-resolver]
  - From: Nikos Mavrogiannopoulos

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]