* Wietse Venema:
>> This is an interesting data point because the interaction between
>> RES_DEFNAMES, RES_DNSRCH, and the ndots and no-tld-query options are
>> far from obvious. Even the exact impact of RES_DEFNAMES and
>> RES_DNSRCH probably varies between code written from scratch and the
>>
* Wietse Venema:
> Florian Weimer:
>> * Wietse Venema:
>>
>> > Florian Weimer:
>> >> * Wietse Venema:
>> >>
>> >> > Florian Weimer:
>> >> >> * Rich Felker:
>> >> >>
>> >> >> &
* Wietse Venema:
> Florian Weimer:
>> * Wietse Venema:
>>
>> > Florian Weimer:
>> >> * Rich Felker:
>> >>
>> >> > A solution that would work with existing and future versions of musl
>> >> > as well as glibc, and w
* Wietse Venema:
> Florian Weimer:
>> * Rich Felker:
>>
>> > A solution that would work with existing and future versions of musl
>> > as well as glibc, and would (I think) avoid the need to poke at _res
>> > to set the glibc trustad flag, wou
* Rich Felker:
> A solution that would work with existing and future versions of musl
> as well as glibc, and would (I think) avoid the need to poke at _res
> to set the glibc trustad flag, would be replacing the call to
> res_query with res_mkquery, |='ing the AD bit into place, then
> res_send.
* Viktor Dukhovni:
> The RFC requirement is more than optional, it is unrealistic. Doing
> DNSSEC-validation in each application is not practical, there is no
> broadly deployed (on all the BSDs, Linux, Solaris, ...) library that
> does this, and each application would potentially need its own
>
* Wietse Venema:
> Florian Weimer:
>> > My patch does not make security any worse than it was prior to
>> > GLIBC 2.31. This is all I can do for stable Postfix releases:
>> > ensure that shit does not stop working after an OS update.
>> >
>> &
* Wietse Venema:
> Florian Weimer:
>> * Wietse Venema:
>>
>> > Vladimir Lomov:
>> >> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with
>> >> 'options trust-ad' and postfix 3.5.0 or it is depend strongly on used
>> >
* Rich Felker:
> On Wed, Apr 15, 2020 at 08:27:08PM +0200, Florian Weimer wrote:
>> >> I don't understand your PTR example. It seems such a fringe case that
>> >> people produce larger PTR responses because they add all virtual hosts
>> >> to
* Wietse Venema:
> Vladimir Lomov:
>> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with
>> 'options trust-ad' and postfix 3.5.0 or it is depend strongly on used
>> 'options'?
>
> This patch avoids the need to add options to resolv.conf.
Does Postfix perform its own DNSSEC
* Rich Felker:
> On Wed, Apr 15, 2020 at 07:19:43PM +0200, Florian Weimer wrote:
>> * Rich Felker:
>>
>> > This is true for users running local nameservers, which ideally will
>> > eventually be everyone, but at present that's far from the case.
>> >
* Rich Felker:
> This is true for users running local nameservers, which ideally will
> eventually be everyone, but at present that's far from the case.
> Differences like concurrent attempts from multiple nameservers and/or
> lack of TCP fallback on TC are what makes netstat fast on musl vs
>
12 matches
Mail list logo
