Date: Sat, 7 Dec 2013 15:19:14 -0500 From: David Magda <dmagda@ee.ryerson.ca> To: freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: BIND chroot environment in 10-RELEASE...gone? Message-ID: <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D@ee.ryerson.ca> In-Reply-To: <52A2CC82.7000101@bluerosetech.com> References: <529D9CC5.8060709@rancid.berkeley.edu> <20131204095855.GY29825@droso.dk> <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org> <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk> <20131205193815.05de3829de9e33197fe210ac@getmail.no> <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org> <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com> <20131206223300.89253B55861@rock.dv.isc.org> <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com> <52A28592.1000200@rancid.berkeley.edu> <52A2CC82.7000101@bluerosetech.com>
index | next in thread | previous in thread | raw e-mail
On Dec 7, 2013, at 02:21, Darren Pilgrim <list_freebsd@bluerosetech.com> wrote: > You are absolutely right--we need DNSSEC validation in everything. But mapping your web browser analogy to DNS, we only need the library providing getaddrinfo() to validate responses. BIND or Unbound on everything is equivalent to running a caching web proxy on everything. We'd end up with about the same amount of brokenness and stale data issues as well. Perhaps getaddrinfo(3) should be updated to add a flag to make DNSSEC validation mandatory (or optional?) for a result to be consider "correct"? http://www.freebsd.org/cgi/man.cgi?query=getaddrinfo There should also probably be an error code for validation error in gai_strerror(3): http://www.freebsd.org/cgi/man.cgi?query=gai_strerror&sektion=3 Or is the plan to add the various val_* functions: http://linux.die.net/man/3/val_getaddrinfo http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-apihelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32F0DE7B-0C87-43AC-9FB7-F8F612E9922D>