On Fri, Oct 11, 2002 at 04:56:27PM -0400, Michael Richardson <[EMAIL PROTECTED]> wrote a message of 68 lines which said:
> As an non-DNS developer (a customer of the domain name service), I am > suffering from the problem that the only real API that anyone knows about is > gethostbyname(3)... <troll> You mean getaddrinfo(3)? </troll> We could just add an error code: EAI_NOAUTH DNS records not authentified EAI_INVALAUTH DNS authentication failed (invalid or corrupted signature) With an option in /etc/resolv.conf to express if you want only signed records or not. But I'm certain it has already been discussed by DNSSEC people. Check archives. > 1) was it signed at all? See above. > 2) how far am is this data from an axiomatic key? More complicated issue :-( > 3) even though some of the signatures may have expired, and it might be > that the servers are not reachable to update them, I would still like > to get the data if the signatures continue to check out. I want the > degraded security to be visible of course! Again for the audit log. This is starting to look complicated. I suggest to add a new function, only for that level of security. #---------------------------------------------------------------------- # To unsubscripbe, send a message to <[EMAIL PROTECTED]>.
