On Thu, Feb 27, 2014 at 12:01:44PM -0500, Paul Wouters wrote:
> On Thu, 27 Feb 2014, Petr Spacek wrote:
>
> >Now we need to discuss 'a temporary solution' for the case where a
> >validating resolver is not available for whatever reason.
>
> I don't agree with this premise, but those applications can be changed
> to use (most error handling removed for clarity):
Can *in principle* be changed, but in practice this is often
unlikely. Postfix works well enough with libresolv, and supports
many older platforms. Moving to libunbound, which is not as widely
deployed is not worth the benefit.
The base libresolv library should be enhanced to at least catch up
with BSD-like systems and offer res_ninit(), res_nsearch(), ...
Beyond that it would be good to be able to tell libresolv:
* I want AD without RRSIG
and to ask libresolv:
- Do you trust the AD bit from your nameservers?
with that and an appropriate administrator-settable predicate in
resolv.conf we're largely set. Applications which call res_setservers()
should automatically receive AD=1.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
