Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 03 May 2020 19:19:54 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

* Rich Felker:

> Normally applications don't want to do their own DNSSEC validation,
> just get back a valid AD flag indicating that the trusted nameserver
> did it, and AIUI it works with systemd-resolved, but indeed with a
> non-broken nameserver it should still be possible for the application
> to do it. Are you saying that, if you request full DNSSEC data with
> EDNS0 DO flag, systemd-resolved refuses to give it? Does dig
> +trace/+dnssec fail to work with it?

The answer to a EDNS0 query does not contain any DNSSEC data even if
the DO bit is set.  The data in the additional section of such
responses seems to be corrupted (dig reports parse errors).  The CD
flag in the query is apparently ignored.

(I still need to investigate the details, sorry.)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.