On Fri, 21.03.14 12:37, Paul Wouters (paul@xxxxxxxxx) wrote: > On Fri, 21 Mar 2014, Lennart Poettering wrote: > > >>we kinda do have dnssec per default. All DNS servers installed per > >>default do DNSSEC. Installing dnssec-trigger makes that even more > >>pervasive. > > > >Well, but glibc can't do the DNSSEC client side, can it? > > Applications that want to do DNSSEC validation can use one of the > dns libraries available (libunbound, libisc, ldns, libval) or their > python/perl bindings. Or they can trust the system and depend on the AD > bit from a locally running nameserver. Well, but tcpd doesn't use that. As long as -lresolve (i.e. glibc and getaddrinfo()) can't do DNSSEC it's just not there... > Some progress is being made elsewhere to come up with an API that's > somewhere in the middle between blind AD bit trust and running a > full dnssec cache in the application, eg getdns api: > > https://bugzilla.redhat.com/show_bug.cgi?id=1070510 Ah, yet another DNS API... Because we have so few... A library with an API of getdns_list_create_with_extended_memory_functions() looks really promising... not! Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
