On Fri, Jul 25, 2014 at 12:03:27PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2014-07-25 at 11:13 +0200, Jakub Hrozek wrote: > > > > https://github.com/bagder/c-ares/pulls > > > > https://github.com/bagder/c-ares/pull/16 - I will ask my RH colleagues > > about this. There is an effort around DNSSEC in Red Hat development now, > > but I admit my DNSSEC knowledge is very limited, so I don't feel > > qualified for a review. As a general note, this should be discussed with > > the libc folks at the libc-alpha list. > > The co-ordination with the glibc folks would be nice to occur in order > to have a consistent way to read the trusted nameservers for dnssec. > These servers need to be marked separately in order to allow the system > administrator to trust the local verifying unbound server, and not the > dns server of the hotel he just got DHCP, for dnssec verification. This > is important as the patch adds non-validating dnssec support and relies > on the upstream server to do validation; the advantage is that it avoids > any crypto dependencies. > > Unfortunately the (months-long) discussion on libc-alpha didn't end in > anything productive, hence I implemented what I thought best, i.e., a > separate resolv-sec.conf file. That part is separated from the rest of > the functionality (the last patch in pull request), and I'd be happy to > update it if you have a better idea. > > If you have better communication skills than me you may want to resume > the discussion in libc-alpha (or some other libc people like the > freebsd).
I will first try to talk to Petr Spacek, who is the DNS guy on our team before talking to the glibc people.. > Nevertheless, in glibc my understanding is that they don't > plan to implement anything dnssec related anytime soon, so even if an > agreement is made that may not binding to them. Overall, I think it > would be nice for c-ares to have that functionality even if glibc > doesn't. Right, last time I heard, even systemd folks were dabbling with the idea. I personally don't have a problem with out-of-glibc implementation, after all, c-ares is a parallel DNS stack as well. What I would like to avoid is a scenario where you would configure DNSSEC by following steps A,B,C for c-ares and steps X,Y,Z for systemd/glibc/whatever.