Re: F23 System Wide Change: Default Local DNS Resolver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11.6.2015 07:39, P J P wrote:
>    Hello Miloslav,
> 
>> On Wednesday, 10 June 2015 8:55 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote:
>> We’ve had earlier conversations about whether the resolver being used (local,
>> remote, container host) is trusted to perform DNSSEC validation. How is this
>> resolved? The Change page AFAICS doesn’t say.
>>
>> Do you e.g. plan to have a configuration file which tells libc/and other
>> applications dealing with resolv.conf directly to know whether the resolver can
>> be trusted for DNSSEC? Or is perhaps the design that any resolver in
>> /etc/resolv.conf is always trusted for DNSSEC, and sysadmins need to ensure that
>> this is true if they use a remote one?
> 
>    Ummn...not any resolver in resolv.conf, but 127.0.0.1 is considered to be trusted. The proposed change is also to ensure that resolv.conf always has only 127.0.0.1 entry in it; And nothing else.
> 
> 
> Configuration changes to indicate 'trusted' character of a resolver was proposed to upstream glibc, but that is yet to be resolved properly.
> 
>   -> https://www.sourceware.org/ml/libc-alpha/2014-11/msg00426.html

Let me add that this concept of 'trusted' resolver will be added later when
Glibc gets extended API which actually can convey the information.

Realistically, in Fedora 23 we will not have the API available because Glibc
upstream is quite unresponsive about this. As a result, we are not going to
declare anything to be 'trusted' in Fedora 23.

For now apps should not make any assumptions about resolver trustworthiness
(as they did for decades).

-- 
Petr Spacek  @  Red Hat
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux