On Fri, 2014-07-25 at 11:13 +0200, Jakub Hrozek wrote:
https://github.com/bagder/c-ares/pulls
https://github.com/bagder/c-ares/pull/16 - I will ask my RH colleagues
about this. There is an effort around DNSSEC in Red Hat development now,
but I admit my DNSSEC knowledge is very limited, so I don't feel
qualified for a review. As a general note, this should be discussed with
the libc folks at the libc-alpha list.
The co-ordination with the glibc folks would be nice to occur in order
to have a consistent way to read the trusted nameservers for dnssec.
These servers need to be marked separately in order to allow the system
administrator to trust the local verifying unbound server, and not the
dns server of the hotel he just got DHCP, for dnssec verification. This
is important as the patch adds non-validating dnssec support and relies
on the upstream server to do validation; the advantage is that it avoids
any crypto dependencies.
Unfortunately the (months-long) discussion on libc-alpha didn't end in
anything productive, hence I implemented what I thought best, i.e., a
separate resolv-sec.conf file. That part is separated from the rest of
the functionality (the last patch in pull request), and I'd be happy to
update it if you have a better idea.
If you have better communication skills than me you may want to resume
the discussion in libc-alpha (or some other libc people like the
freebsd). Nevertheless, in glibc my understanding is that they don't
plan to implement anything dnssec related anytime soon, so even if an
agreement is made that may not binding to them. Overall, I think it
would be nice for c-ares to have that functionality even if glibc
doesn't.
regards,
Nikos
