From owner-freebsd-stable@FreeBSD.ORG  Sat Dec  7 20:45:39 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9463DBE8
 for <freebsd-stable@freebsd.org>; Sat,  7 Dec 2013 20:45:39 +0000 (UTC)
Received: from eccles.ee.ryerson.ca (eccles.ee.ryerson.ca [141.117.1.2])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 575D0185B
 for <freebsd-stable@freebsd.org>; Sat,  7 Dec 2013 20:45:39 +0000 (UTC)
Received: from [172.16.2.5] (69-165-136-60.dsl.teksavvy.com [69.165.136.60])
 (authenticated bits=0)
 by eccles.ee.ryerson.ca (8.14.4/8.14.4) with ESMTP id rB7KJ8S6037361
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO)
 for <freebsd-stable@freebsd.org>; Sat, 7 Dec 2013 15:19:09 -0500 (EST)
 (envelope-from dmagda@ee.ryerson.ca)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Subject: Re: BIND chroot environment in 10-RELEASE...gone?
From: David Magda <dmagda@ee.ryerson.ca>
In-Reply-To: <52A2CC82.7000101@bluerosetech.com>
Date: Sat, 7 Dec 2013 15:19:14 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D@ee.ryerson.ca>
References: <529D9CC5.8060709@rancid.berkeley.edu>
 <20131204095855.GY29825@droso.dk>
 <alpine.BSF.2.00.1312041212000.2022@badger.tharned.org>
 <E915D8A5-1CD0-465B-BAD1-59C45C9415F4@gid.co.uk>
 <20131205193815.05de3829de9e33197fe210ac@getmail.no>
 <20131206143944.4873391d@suse3> <20131206220016.BADCAB556F4@rock.dv.isc.org>
 <1386367748.17212.56515229.7C50AFEB@webmail.messagingengine.com>
 <20131206223300.89253B55861@rock.dv.isc.org>
 <1386370916.5659.56527093.3A6A1DF1@webmail.messagingengine.com>
 <52A28592.1000200@rancid.berkeley.edu> <52A2CC82.7000101@bluerosetech.com>
To: freebsd-stable <freebsd-stable@freebsd.org>
X-Mailer: Apple Mail (2.1510)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 20:45:39 -0000

On Dec 7, 2013, at 02:21, Darren Pilgrim <list_freebsd@bluerosetech.com> =
wrote:

> You are absolutely right--we need DNSSEC validation in everything.  =
But mapping your web browser analogy to DNS, we only need the library =
providing getaddrinfo() to validate responses.  BIND or Unbound on =
everything is equivalent to running a caching web proxy on everything. =
We'd end up with about the same amount of brokenness and stale data =
issues as well.

Perhaps getaddrinfo(3) should be updated to add a flag to make DNSSEC =
validation mandatory (or optional?) for a result to be consider =
"correct"?

	http://www.freebsd.org/cgi/man.cgi?query=3Dgetaddrinfo

There should also probably be an error code for validation error in =
gai_strerror(3):

	http://www.freebsd.org/cgi/man.cgi?query=3Dgai_strerror&sektion=3D=
3

Or is the plan to add the various val_* functions:

	http://linux.die.net/man/3/val_getaddrinfo
	=
http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api