Hello Miloslav, > On Wednesday, 10 June 2015 8:55 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote: > We’ve had earlier conversations about whether the resolver being used (local, > remote, container host) is trusted to perform DNSSEC validation. How is this > resolved? The Change page AFAICS doesn’t say. > > Do you e.g. plan to have a configuration file which tells libc/and other > applications dealing with resolv.conf directly to know whether the resolver can > be trusted for DNSSEC? Or is perhaps the design that any resolver in > /etc/resolv.conf is always trusted for DNSSEC, and sysadmins need to ensure that > this is true if they use a remote one? Ummn...not any resolver in resolv.conf, but 127.0.0.1 is considered to be trusted. The proposed change is also to ensure that resolv.conf always has only 127.0.0.1 entry in it; And nothing else. Configuration changes to indicate 'trusted' character of a resolver was proposed to upstream glibc, but that is yet to be resolved properly. -> https://www.sourceware.org/ml/libc-alpha/2014-11/msg00426.html --- Regards -P J P http://feedmug.com -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct