In a recent discussion about DNSSEC it was brought to my attention that not all system administrators may understand that the information in /etc/resolv.conf is fully trusted. The resolver implementation in glibc treats /etc/resolv.conf as a fully trusted source of DNS information and passes on the AD-bit for DNSSEC as trusted. Would it be possible to add a clarifying setence to the man page for resolv.conf.5 to make it absolutely clear that indeed this source of information is trusted? Signed-off-by: Carlos O'Donell <carlos@xxxxxxxxxx> diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5 index f398724..2dfccdf 100644 --- a/man5/resolv.conf.5 +++ b/man5/resolv.conf.5 @@ -35,6 +35,9 @@ The resolver configuration file contains information that is read by the resolver routines the first time they are invoked by a process. The file is designed to be human readable and contains a list of keywords with values that provide various types of resolver information. +The configuration file is considered a trusted source of DNS information +e.g. DNSSEC AD-bit information will be returned unmodified from these +sources. .LP If this file does not exist, only the name server on the local machine will be queried; --- Cheers, Carlos. -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
