Maybe it's time to get rid of tcpwrappers/tcpd?
Paul Wouters
paul at nohats.ca
Fri Mar 21 17:05:51 UTC 2014
On Fri, 21 Mar 2014, Lennart Poettering wrote:
> As long as -lresolve (i.e. glibc and getaddrinfo()) can't do DNSSEC it's
> just not there...
You are proposing changing the api of getaddrinfo()? Could luck with
that?
Yes, applications that want to see DNSSEC results will have to do a little bit
of extra work. It's not the end of the world. Applications that only
care about the DNS being protected should just continue their current
API, and hopefully resolv.conf points to localhost so the local DNS
server will return ServFail's to the applications for spoofed DNS.
>> Some progress is being made elsewhere to come up with an API that's
>> somewhere in the middle between blind AD bit trust and running a
>> full dnssec cache in the application, eg getdns api:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1070510
>
> Ah, yet another DNS API... Because we have so few... A library with an
> API of getdns_list_create_with_extended_memory_functions() looks really
> promising... not!
It's built on top of libunbound. You can use libunbound directly.
Paul
More information about the devel
mailing list