default local DNS caching name server
Paul Wouters
paul at nohats.ca
Thu Apr 10 15:36:01 UTC 2014
On Thu, 10 Apr 2014, Billy Crook wrote:
> I don't think pointing resolv.conf at 127.0.0.1 is the right answer
> for this. The functionality should be implemented as a 'hosts'
> service to be listed in nsswitch.conf between files and dns.
For security reasons, you really want resolv.conf to only point to
127.0.0.1. Otherwise applications cannot determine the security of
the DNSSEC answers without doing full validation inside every
application themselves.
See recent discussions on the DANE mailinglist regarding the AD bit
discussion:
http://www.ietf.org/mail-archive/web/dane/current/maillist.html
Paul
More information about the devel
mailing list