Maybe it's time to get rid of tcpwrappers/tcpd?
Lennart Poettering
mzerqung at 0pointer.de
Fri Mar 21 16:55:42 UTC 2014
On Fri, 21.03.14 12:37, Paul Wouters (paul at nohats.ca) wrote:
> On Fri, 21 Mar 2014, Lennart Poettering wrote:
>
> >>we kinda do have dnssec per default. All DNS servers installed per
> >>default do DNSSEC. Installing dnssec-trigger makes that even more
> >>pervasive.
> >
> >Well, but glibc can't do the DNSSEC client side, can it?
>
> Applications that want to do DNSSEC validation can use one of the
> dns libraries available (libunbound, libisc, ldns, libval) or their
> python/perl bindings. Or they can trust the system and depend on the AD
> bit from a locally running nameserver.
Well, but tcpd doesn't use that.
As long as -lresolve (i.e. glibc and getaddrinfo()) can't do DNSSEC it's
just not there...
> Some progress is being made elsewhere to come up with an API that's
> somewhere in the middle between blind AD bit trust and running a
> full dnssec cache in the application, eg getdns api:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1070510
Ah, yet another DNS API... Because we have so few... A library with an
API of getdns_list_create_with_extended_memory_functions() looks really
promising... not!
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list