On 02/19/2014 12:09 AM, Carlos O'Donell wrote: > In a recent discussion about DNSSEC it was brought to my > attention that not all system administrators may understand > that the information in /etc/resolv.conf is fully trusted. > The resolver implementation in glibc treats /etc/resolv.conf > as a fully trusted source of DNS information and passes on > the AD-bit for DNSSEC as trusted. > > Would it be possible to add a clarifying setence to the > man page for resolv.conf.5 to make it absolutely clear that > indeed this source of information is trusted? > > Signed-off-by: Carlos O'Donell <carlos@xxxxxxxxxx> > > diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5 > index f398724..2dfccdf 100644 > --- a/man5/resolv.conf.5 > +++ b/man5/resolv.conf.5 > @@ -35,6 +35,9 @@ The resolver configuration file contains information that is read > by the resolver routines the first time they are invoked by a process. > The file is designed to be human readable and contains a list of > keywords with values that provide various types of resolver information. > +The configuration file is considered a trusted source of DNS information > +e.g. DNSSEC AD-bit information will be returned unmodified from these > +sources. > .LP > If this file does not exist, > only the name server on the local machine will be queried; Carlos, Thanks. I've applied this, but made one small change. You wrote plural "these sources", but the context seems to indicate a singular is required, so I changed it to "this source". Okay? Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
