Re: Maybe it's time to get rid of tcpwrappers/tcpd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 21.03.14 12:37, Paul Wouters (paul@xxxxxxxxx) wrote:

> On Fri, 21 Mar 2014, Lennart Poettering wrote:
> 
> >>we kinda do have dnssec per default. All DNS servers installed per
> >>default do DNSSEC. Installing dnssec-trigger makes that even more
> >>pervasive.
> >
> >Well, but glibc can't do the DNSSEC client side, can it?
> 
> Applications that want to do DNSSEC validation can use one of the
> dns libraries available (libunbound, libisc, ldns, libval) or their
> python/perl bindings. Or they can trust the system and depend on the AD
> bit from a locally running nameserver.

Well, but tcpd doesn't use that.

As long as -lresolve (i.e. glibc and getaddrinfo()) can't do DNSSEC it's
just not there...

> Some progress is being made elsewhere to come up with an API that's
> somewhere in the middle between blind AD bit trust and running a
> full dnssec cache in the application, eg getdns api:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1070510

Ah, yet another DNS API... Because we have so few... A library with an
API of getdns_list_create_with_extended_memory_functions() looks really
promising... not!

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux