BIND chroot environment in 10-RELEASE...gone?
David Magda
dmagda at ee.ryerson.ca
Sat Dec 7 20:45:39 UTC 2013
On Dec 7, 2013, at 02:21, Darren Pilgrim <list_freebsd at bluerosetech.com> wrote:
> You are absolutely right--we need DNSSEC validation in everything. But mapping your web browser analogy to DNS, we only need the library providing getaddrinfo() to validate responses. BIND or Unbound on everything is equivalent to running a caching web proxy on everything. We'd end up with about the same amount of brokenness and stale data issues as well.
Perhaps getaddrinfo(3) should be updated to add a flag to make DNSSEC validation mandatory (or optional?) for a result to be consider "correct"?
http://www.freebsd.org/cgi/man.cgi?query=getaddrinfo
There should also probably be an error code for validation error in gai_strerror(3):
http://www.freebsd.org/cgi/man.cgi?query=gai_strerror&sektion=3
Or is the plan to add the various val_* functions:
http://linux.die.net/man/3/val_getaddrinfo
http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api
More information about the freebsd-stable
mailing list