On Fri, 21.03.14 12:37, Paul Wouters (paul(a)nohats.ca) wrote:
On Fri, 21 Mar 2014, Lennart Poettering wrote:
>>we kinda do have dnssec per default. All DNS servers installed per
>>default do DNSSEC. Installing dnssec-trigger makes that even more
>>pervasive.
>
>Well, but glibc can't do the DNSSEC client side, can it?
Applications that want to do DNSSEC validation can use one of the
dns libraries available (libunbound, libisc, ldns, libval) or their
python/perl bindings. Or they can trust the system and depend on the AD
bit from a locally running nameserver.
Well, but tcpd doesn't use that.
As long as -lresolve (i.e. glibc and getaddrinfo()) can't do DNSSEC it's
just not there...
Some progress is being made elsewhere to come up with an API
that's
somewhere in the middle between blind AD bit trust and running a
full dnssec cache in the application, eg getdns api:
https://bugzilla.redhat.com/show_bug.cgi?id=1070510
Ah, yet another DNS API... Because we have so few... A library with an
API of getdns_list_create_with_extended_memory_functions() looks really
promising... not!
Lennart
--
Lennart Poettering, Red Hat