Hi Florian, Thanks for your email!
On Fri, Apr 17, 2020 at 07:27:53PM +0200, Florian Weimer wrote: > glibc 2.31 has support for recognizing that the name servers listed in > /etc/resolv.conf are reached over a trusted network path and implement > DNSSEC correctly (but do not necessarily perform validation): > > * The DNS stub resolver will optionally send the AD (authenticated data) bit > in queries if the trust-ad option is set via the options directive in > /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options). In this > mode, the AD bit, as provided by the name server, is available to > applications which call res_search and related functions. In the default > mode, the AD bit is not set in queries, and it is automatically cleared in > responses, indicating a lack of DNSSEC validation. (Therefore, the name > servers and the network path to them are treated as untrusted.) > > I think cloud-init needs a way to propagate this information the > instance data injection. I don't think I fully understand what "this information" is in this sentence. Could you expand a little on what you mean here? > It may make sense to set trust-ad by default for certain injection > methods, but I am not sure. In order to get the desired AD bit > semantics, two things are required: > > * When sending and receiving packets to the addresses indicated in > /etc/resolv.conf, the communication must happen with the DNS > resolver on these IP addresses. I'm not 100% sure I understand this requirement, could you perhaps reword it? > Thoughts? cloud-init has a module for configuring /etc/resolv.conf, cc_resolv_conf[0]. It has generic support for passing in "options", so I don't believe any specific work would be required for users to specify DNSSEC-related options. Cheers, Dan [0] https://cloudinit.readthedocs.io/en/latest/topics/modules.html#resolv-conf
signature.asc
Description: PGP signature
-- Mailing list: https://launchpad.net/~cloud-init Post to : [email protected] Unsubscribe : https://launchpad.net/~cloud-init More help : https://help.launchpad.net/ListHelp
