This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Building consensus over DNSSEC enhancements to glibc.


On 11/16/2015 07:46 PM, Petr Spacek wrote:

>> By the way, have you had a chance to review how an AD flag policy should
>> interact with the search path configured in /etc/resolv.conf?
> 
> Hmm, I apparently did not send the reply :-) Anyway, in my eyes 'search' is
> inherently incompatible with domain name-based checks (be it TLS or DNSSEC or
> whatever else).
> 
> Speaking about AD bit, theoretically it could be set 1 if *all* intermediate
> results had the bit set to 1, but I'm worried that applications would not
> handle it correctly: Application would have to receive back the terminal name
> which was found & use the name for domain name checks, which is error prone
> and adds yet another layer which application developer has to take care of.
> 
> Given that in TLS world search directive and use of short names lead to
> validation failures (unless the cert contains the short name ...) I would
> strip the AD bit if search is in use & name returned is not the same as name
> originally requested by the caller.

We would have to apply this stripping unconditionally, even for trusted
recursive resolvers, I think.  Do you agree?

Florian


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]