On Thu, 10 Apr 2014, Billy Crook wrote:
I don't think pointing resolv.conf at 127.0.0.1 is the right
answer
for this. The functionality should be implemented as a 'hosts'
service to be listed in nsswitch.conf between files and dns.
For security reasons, you really want resolv.conf to only point to
127.0.0.1. Otherwise applications cannot determine the security of
the DNSSEC answers without doing full validation inside every
application themselves.
See recent discussions on the DANE mailinglist regarding the AD bit
discussion:
http://www.ietf.org/mail-archive/web/dane/current/maillist.html
Paul