BIND chroot environment in 10-RELEASE...gone?
Mark Andrews
marka at isc.org
Sat Dec 7 21:23:42 UTC 2013
In message <32F0DE7B-0C87-43AC-9FB7-F8F612E9922D at ee.ryerson.ca>, David Magda wr
ites:
> On Dec 7, 2013, at 02:21, Darren Pilgrim <list_freebsd at bluerosetech.com>
> wrot e:
>
> > You are absolutely right--we need DNSSEC validation in everything. But
> > mapping your web browser analogy to DNS, we only need the library
> > providing getaddrinfo() to validate responses. BIND or Unbound on
> > everything is equivalent to running a caching web proxy on everything.
> > We'd end up with about the same amount of brokenness and stale data
> > issues as well.
FUD. In both cases you are using cache (its just local vs remote).
> Perhaps getaddrinfo(3) should be updated to add a flag to make DNSSEC
> validation mandatory (or optional?) for a result to be consider "correct"?
>
> http://www.freebsd.org/cgi/man.cgi?query=getaddrinfo
>
> There should also probably be an error code for validation error in
> gai_strerror(3):
>
> http://www.freebsd.org/cgi/man.cgi?query=gai_strerror&sektion=3
>
> Or is the plan to add the various val_* functions:
>
> http://linux.die.net/man/3/val_getaddrinfo
>
> http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api
Note it is not just getaddrinfo. Its every lookup that needs to be
validated. MX, SRV, TXT ...
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the freebsd-stable
mailing list