|
Message-ID: <CAGxPR-_nqn7cLd_2Qk_NbN+giTyDZBKR6mPqQZLgxASEAebTNw@mail.gmail.com>
Date: Sun, 3 May 2020 00:52:22 +0200
From: Bartosz Brachaczek <b.brachaczek@...il.com>
To: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver
On Sat, May 2, 2020 at 5:44 PM Rich Felker <dalias@...c.org> wrote:
> On Sat, May 02, 2020 at 05:28:48PM +0200, Florian Weimer wrote:
> > * Rich Felker:
> >
> > > On Tue, Apr 21, 2020 at 07:26:08PM +0200, Florian Weimer wrote:
> > >> * Rich Felker:
> > >>
> > >> >> I'm excited that Fedora plans to add a local caching resolver by
> > >> >> default. It will help with a lot of these issues.
> > >> >
> > >> > That's great news! Will it be DNSSEC-enforcing by default?
> > >>
> > >> No. It is currently not even DNSSEC-aware, in the sense that you
> > >> can't get any DNSSEC data from it. That's the sad part.
> > >
> > > That's really disappointing. Why? Both systemd-resolved and dnsmasq,
> > > the two reasonable (well, reasonable for distros using systemd already
> > > in the systemd-resolved case :) options for this, support DNSSEC fully
> > > as I understand it. Is it just being turned off by default because of
> > > risk of breaking things, or is some other implementation that lacks
> > > DNSSEC being used?
> >
> > It's systemd-resolved. As far as I can tell, it does not provide
> > DNSSEC data on the DNS client interface.
>
> According to this it does:
>
> https://wiki.archlinux.org/index.php/Systemd-resolved#DNSSEC
>
> However it's subject to downgrade attacks unless you edit a config
> file. Note that the example shows:
>
> ....
> -- Data is authenticated: yes
>
> so it looks like it's setting the AD bit like it should.
>
Relevant info:
https://fedoraproject.org/wiki/Changes/systemd-resolved#DNSSEC
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.