* Matthew Grant: > From my investigations this can only be enabled by recompiling each bit > of software to set the RES_USE_DNSSEC flag in _res.options, as well as > RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method > is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c
This does not actually activate DNSSEC, it just tells the recursive resolver that the application is able to process DNSSEC records. The application would still have to validate them. Applications should never need to set the RES_USE_DNSSEC flag because it does not make sense to treat DNSSEC-signed data differently from unsigned data. > Please create a resolv.conf flag so that RES_USE_DNSSEC is available > to the systems administrator, and maybe a debconf screen to select it. This alone wouldn't make any difference to the spoofing problem. libc is not the correct place to put DNSSEC validation because many processes are shortlived and would have to fetch all key material and signatures from DNS, beginning at the root. This would turn a single name resolution into six or more DNS queries, which is excessive. At this stage, you should run a BIND or Unbound process restricted to localhost which performs the validation. This validation will happen even for applications which do not set the RES_USE_DNSSEC flag. -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sjdau1uj....@mid.deneb.enyo.de
