On Fri, 21 Mar 2014, Lennart Poettering wrote:
we kinda do have dnssec per default. All DNS servers installed per
default do DNSSEC. Installing dnssec-trigger makes that even more
pervasive.
Well, but glibc can't do the DNSSEC client side, can it?
Applications that want to do DNSSEC validation can use one of the
dns libraries available (libunbound, libisc, ldns, libval) or their
python/perl bindings. Or they can trust the system and depend on the AD
bit from a locally running nameserver.
Some progress is being made elsewhere to come up with an API that's
somewhere in the middle between blind AD bit trust and running a
full dnssec cache in the application, eg getdns api:
https://bugzilla.redhat.com/show_bug.cgi?id=1070510
In addition to making it easier to get all the records in one go to do
validation and then throw away the intermediate data:
https://tools.ietf.org/html/draft-wouters-edns-chain-query-00
There is still a larger discussion going on about how exactly to fit
DNSSEC in the OS and applications. Some people don't like blind trust,
some people don't tying the application too tightly to DNSSEC. But
with TLSA records in DNS, there is now a need to add DNSSEC to crypto
libraries.
Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct