Re: Building consensus over DNSSEC enhancements to glibc.

["Carlos O'Donell" <carlos at redhat dot com>]

On 11/06/2015 06:37 PM, Paul Wouters wrote:
> On 11/07/2015 03:28 AM, Rich Felker wrote:
> 
>> On a system configured with DNSSEC you do not allow resolv.conf to be
>> changed by dhcp clients. Doing so is a bug.
> 
> Life is more complicated than that. That's why things like dnssec-trigger exist to begin with.
> 
> 1) Blocked port 53 except to local resolver
> 2) hotspots
> 3) transparent redirection to non-dnssec resolver
> 
> Additionally, we are seeing more initiatives in the DPRIVE working group to work on dns privacy, so more and more
> we will see people who don't want to use the local resolvers for anything else but portal negotiation. Which is
> a good thing I think.

The amount of policy required to make these decisions is exactly
why I think a solution at the level of core C library is always
going to be inflexible for real user needs. Which is why my proposal
is simply `options dns-strip-dnssec-ad-bit` to strip the AD-bit and
that's it. The higher level policy frameworks need to coordinate and
set this option if needed, and that includes a distro-wide decision
about defaults at boot time.

In some regards I expect this is not what you want to hear because
the solution involves coordinating multiple projects and cleaning
up policy.

c.