Roaming, and libresolv being stuck in the 1980's mindset

[Philip Prindeville]

On 04/18/2015 02:25 PM, Björn Persson wrote:
> Philip Prindeville wrote:
>> I recently opened a bug with glibc because persistent programs (like
>> Thunderbird, etc) don't seem to handle roaming onto different
>> networks very well.
>>
>> Or rather, they rely on libresolv which opens /etc/resolv.conf at
>> startup and then ignores changes to the file for the rest of the time
>> the process it is linked to is running.
>>
>> This might have been fine for desktop tower computers in the 1980's
>> (though even then we had PPP and dynamic network settings), but we're
>> in the era of pervasive laptops with internet connections and you're
>> settings are going to be volatile.  Period.
> On the other hand those laptops are moving around in a rather hostile
> environment, so they really ought to start doing DNSsec validation
> locally as soon as possible, preferably several years ago. That means
> that libresolv will only ever query the resolver daemon on the local
> host, and has no need to check for updates to resolv.conf.
>
> Some installations may be able to rely on a trusted DNS server doing
> the validation for them, but then their resolv.conf is static, so again
> there is no need to check for updates.
>
> Björn Persson
>

If you're getting bad resolver addresses from your DHCP server, aren't you also potentially getting a bad default gateway and hence setting yourself up for a man-in-the-middle attack?

-Philip