F23 System Wide Change: Default Local DNS Resolver
Petr Spacek
pspacek at redhat.com
Thu Jun 11 07:15:04 UTC 2015
On 11.6.2015 07:39, P J P wrote:
> Hello Miloslav,
>
>> On Wednesday, 10 June 2015 8:55 PM, Miloslav Trmač <mitr at redhat.com> wrote:
>> We’ve had earlier conversations about whether the resolver being used (local,
>> remote, container host) is trusted to perform DNSSEC validation. How is this
>> resolved? The Change page AFAICS doesn’t say.
>>
>> Do you e.g. plan to have a configuration file which tells libc/and other
>> applications dealing with resolv.conf directly to know whether the resolver can
>> be trusted for DNSSEC? Or is perhaps the design that any resolver in
>> /etc/resolv.conf is always trusted for DNSSEC, and sysadmins need to ensure that
>> this is true if they use a remote one?
>
> Ummn...not any resolver in resolv.conf, but 127.0.0.1 is considered to be trusted. The proposed change is also to ensure that resolv.conf always has only 127.0.0.1 entry in it; And nothing else.
>
>
> Configuration changes to indicate 'trusted' character of a resolver was proposed to upstream glibc, but that is yet to be resolved properly.
>
> -> https://www.sourceware.org/ml/libc-alpha/2014-11/msg00426.html
Let me add that this concept of 'trusted' resolver will be added later when
Glibc gets extended API which actually can convey the information.
Realistically, in Fedora 23 we will not have the API available because Glibc
upstream is quite unresponsive about this. As a result, we are not going to
declare anything to be 'trusted' in Fedora 23.
For now apps should not make any assumptions about resolver trustworthiness
(as they did for decades).
--
Petr Spacek @ Red Hat
More information about the devel
mailing list