On Fri, Jul 25, 2014 at 12:03:27PM +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-07-25 at 11:13 +0200, Jakub Hrozek wrote:
>
> > > https://github.com/bagder/c-ares/pulls
> >
> > https://github.com/bagder/c-ares/pull/16 - I will ask my RH colleagues
> > about this. There is an effort around DNSSEC in Red Hat development now,
> > but I admit my DNSSEC knowledge is very limited, so I don't feel
> > qualified for a review. As a general note, this should be discussed with
> > the libc folks at the libc-alpha list.
>
> The co-ordination with the glibc folks would be nice to occur in order
> to have a consistent way to read the trusted nameservers for dnssec.
> These servers need to be marked separately in order to allow the system
> administrator to trust the local verifying unbound server, and not the
> dns server of the hotel he just got DHCP, for dnssec verification. This
> is important as the patch adds non-validating dnssec support and relies
> on the upstream server to do validation; the advantage is that it avoids
> any crypto dependencies.
>
> Unfortunately the (months-long) discussion on libc-alpha didn't end in
> anything productive, hence I implemented what I thought best, i.e., a
> separate resolv-sec.conf file. That part is separated from the rest of
> the functionality (the last patch in pull request), and I'd be happy to
> update it if you have a better idea.
>
> If you have better communication skills than me you may want to resume
> the discussion in libc-alpha (or some other libc people like the
> freebsd).
I will first try to talk to Petr Spacek, who is the DNS guy on our team
before talking to the glibc people..
> Nevertheless, in glibc my understanding is that they don't
> plan to implement anything dnssec related anytime soon, so even if an
> agreement is made that may not binding to them. Overall, I think it
> would be nice for c-ares to have that functionality even if glibc
> doesn't.
Right, last time I heard, even systemd folks were dabbling with the
idea.
I personally don't have a problem with out-of-glibc implementation,
after all, c-ares is a parallel DNS stack as well. What I would like to
avoid is a scenario where you would configure DNSSEC by following steps
A,B,C for c-ares and steps X,Y,Z for systemd/glibc/whatever.
Received on 2014-07-25