Date: Sun, 08 Dec 2013 08:23:16 +1100 From: Mark Andrews <marka@isc.org> To: David Magda <dmagda@ee.ryerson.ca> Cc: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <20131207212317.39A05B596DF@rock.dv.isc.org> In-Reply-To: Your message of "Sat, 07 Dec 2013 15:19:14 -0500." <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D@ee.ryerson.ca> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> <52A28592.1000200@rancid.berkeley.edu> <52A2CC82.7000101@bluerosetech.com> <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D@ee.ryerson.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D@ee.ryerson.ca>, David Magda wr ites: > On Dec 7, 2013, at 02:21, Darren Pilgrim <list_freebsd@bluerosetech.com> > wrot e: > > > You are absolutely right--we need DNSSEC validation in everything. But > > mapping your web browser analogy to DNS, we only need the library > > providing getaddrinfo() to validate responses. BIND or Unbound on > > everything is equivalent to running a caching web proxy on everything. > > We'd end up with about the same amount of brokenness and stale data > > issues as well. FUD. In both cases you are using cache (its just local vs remote). > Perhaps getaddrinfo(3) should be updated to add a flag to make DNSSEC > validation mandatory (or optional?) for a result to be consider "correct"? > > http://www.freebsd.org/cgi/man.cgi?query=getaddrinfo > > There should also probably be an error code for validation error in > gai_strerror(3): > > http://www.freebsd.org/cgi/man.cgi?query=gai_strerror&sektion=3 > > Or is the plan to add the various val_* functions: > > http://linux.die.net/man/3/val_getaddrinfo > > http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api Note it is not just getaddrinfo. Its every lookup that needs to be validated. MX, SRV, TXT ... > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131207212317.39A05B596DF>