On 11.6.2015 07:39, P J P wrote: > Hello Miloslav, > >> On Wednesday, 10 June 2015 8:55 PM, Miloslav Trmač <mitr@xxxxxxxxxx> wrote: >> We’ve had earlier conversations about whether the resolver being used (local, >> remote, container host) is trusted to perform DNSSEC validation. How is this >> resolved? The Change page AFAICS doesn’t say. >> >> Do you e.g. plan to have a configuration file which tells libc/and other >> applications dealing with resolv.conf directly to know whether the resolver can >> be trusted for DNSSEC? Or is perhaps the design that any resolver in >> /etc/resolv.conf is always trusted for DNSSEC, and sysadmins need to ensure that >> this is true if they use a remote one? > > Ummn...not any resolver in resolv.conf, but 127.0.0.1 is considered to be trusted. The proposed change is also to ensure that resolv.conf always has only 127.0.0.1 entry in it; And nothing else. > > > Configuration changes to indicate 'trusted' character of a resolver was proposed to upstream glibc, but that is yet to be resolved properly. > > -> https://www.sourceware.org/ml/libc-alpha/2014-11/msg00426.html Let me add that this concept of 'trusted' resolver will be added later when Glibc gets extended API which actually can convey the information. Realistically, in Fedora 23 we will not have the API available because Glibc upstream is quite unresponsive about this. As a result, we are not going to declare anything to be 'trusted' in Fedora 23. For now apps should not make any assumptions about resolver trustworthiness (as they did for decades). -- Petr Spacek @ Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
