On 8 Apr 2014, at 9:54, Petr Spacek <pspa...@redhat.com> wrote: > On 8.4.2014 15:20, Edward Lewis wrote: >> From the linked message: > > Let me quote very first part of the message to put it into context: >>>>>>>>> People start to disagree when it comes to questions like "Is it >>>>>>>>> feasible to >>>>>>>>> rely on a local validating resolver in the near future? How can >>>>>>>>> applications >>>>>>>>> detect that a validating resolver is not configured and that DNS >>>>>>>>> responses >>>>>>>>> can't be trusted?" >>>>>>>>> >>>>>>>>> Aim of the proposal below is to enable applications to stay safe on >>>>>>>>> systems > >>>>>>>> without a validating resolver. > > In other words, we are looking for a way how to augment current APIs to move > DNSSEC-related knobs from applications to system-wide level (so you don't > need to tweak OpenSSH config and Postfix config separately, for instance).
I think introducing a new API to inform applications as to what security measures are in place is going to be messy and complex. The better approach is surely to let applications decide what features they want and specify them through the same API they use to perform DNS resolution, e.g. http://www.vpnc.org/getdns-api/ Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
