Viktor, Your mention of the getdns api is apropos since we just announced the beat release of our implementation :)
An application using the getdns api can decide how it will take advantage of the system files - for example whether it wants to use a search option which is an improvement over the current approach in which applications are not aware of whether a suffix was appended to a query. I would add however that the same root operator that might add a suffix to resolv.conf could do other nefarious things to resolvers on that host since the root operator has significant opportunities for MITM attacks on applications running on that host. I think the specification takes the most reasonable approach by deferring to the application to decide the extent to which it will respect system-wide settings (even including trust anchors). -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. On 2/26/14 1:24 PM, "Viktor Dukhovni" <[email protected]> wrote: >On Wed, Feb 26, 2014 at 06:14:09PM +0000, Tony Finch wrote: > >> > As for setting the "AD" bit in the request automatically, it probably >> > should still require an explicit indication of interest from the >> > application or be set via a default option value /etc/resolv.conf. >> >> Perhaps, though I think the AD flag is pretty benign. > >I think it requires EDNS0, but if that is already set, perhaps >turning on AD by default is harmless. This specific detail is >perhaps more of a "dnsop" than "dane" question. > >By the way I just noticed that http://www.vpnc.org/getdns-api/ >does not define the interaction of DNSSEC with: > > getdns_return_t getdns_context_set_append_name( > getdns_context *context, > getdns_append_name_t value ); > > Specifies whether to append a suffix to the query string before > the API starts resolving a name. The value is > > GETDNS_APPEND_NAME_ALWAYS, > GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE, > GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE, or > GETDNS_APPEND_NAME_NEVER. > > This controls whether or not to append the suffix given by > getdns_context_set_suffix > >Name appending breaks DNSSEC when any of the resulting zones are >insecure and are tried before ultimately secure zones. The validity >of a request for a secure response for an under-specified query is >IMHO questionable. > >-- > Viktor. > >_______________________________________________ >dane mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
