Date: Sun, 3 May 2020 00:52:22 +0200 From: Bartosz Brachaczek <b.brachaczek@...il.com> To: musl@...ts.openwall.com Subject: Re: TCP support in the stub resolver On Sat, May 2, 2020 at 5:44 PM Rich Felker <dalias@...c.org> wrote: > On Sat, May 02, 2020 at 05:28:48PM +0200, Florian Weimer wrote: > > * Rich Felker: > > > > > On Tue, Apr 21, 2020 at 07:26:08PM +0200, Florian Weimer wrote: > > >> * Rich Felker: > > >> > > >> >> I'm excited that Fedora plans to add a local caching resolver by > > >> >> default. It will help with a lot of these issues. > > >> > > > >> > That's great news! Will it be DNSSEC-enforcing by default? > > >> > > >> No. It is currently not even DNSSEC-aware, in the sense that you > > >> can't get any DNSSEC data from it. That's the sad part. > > > > > > That's really disappointing. Why? Both systemd-resolved and dnsmasq, > > > the two reasonable (well, reasonable for distros using systemd already > > > in the systemd-resolved case :) options for this, support DNSSEC fully > > > as I understand it. Is it just being turned off by default because of > > > risk of breaking things, or is some other implementation that lacks > > > DNSSEC being used? > > > > It's systemd-resolved. As far as I can tell, it does not provide > > DNSSEC data on the DNS client interface. > > According to this it does: > > https://wiki.archlinux.org/index.php/Systemd-resolved#DNSSEC > > However it's subject to downgrade attacks unless you edit a config > file. Note that the example shows: > > .... > -- Data is authenticated: yes > > so it looks like it's setting the AD bit like it should. > Relevant info: https://fedoraproject.org/wiki/Changes/systemd-resolved#DNSSEC Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.