Date: Sat, 7 Dec 2013 15:19:14 -0500 From: David Magda <dmagda@ee.ryerson.ca> To: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D@ee.ryerson.ca> In-Reply-To: <52A2CC82.7000101@bluerosetech.com> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> <52A28592.1000200@rancid.berkeley.edu> <52A2CC82.7000101@bluerosetech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 7, 2013, at 02:21, Darren Pilgrim <list_freebsd@bluerosetech.com> = wrote: > You are absolutely right--we need DNSSEC validation in everything. = But mapping your web browser analogy to DNS, we only need the library = providing getaddrinfo() to validate responses. BIND or Unbound on = everything is equivalent to running a caching web proxy on everything. = We'd end up with about the same amount of brokenness and stale data = issues as well. Perhaps getaddrinfo(3) should be updated to add a flag to make DNSSEC = validation mandatory (or optional?) for a result to be consider = "correct"? http://www.freebsd.org/cgi/man.cgi?query=3Dgetaddrinfo There should also probably be an error code for validation error in = gai_strerror(3): http://www.freebsd.org/cgi/man.cgi?query=3Dgai_strerror&sektion=3D= 3 Or is the plan to add the various val_* functions: http://linux.die.net/man/3/val_getaddrinfo = http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32F0DE7B-0C87-43AC-9FB7-F8F612E9922D>