Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 03 May 2020 19:19:54 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

* Rich Felker:

> Normally applications don't want to do their own DNSSEC validation,
> just get back a valid AD flag indicating that the trusted nameserver
> did it, and AIUI it works with systemd-resolved, but indeed with a
> non-broken nameserver it should still be possible for the application
> to do it. Are you saying that, if you request full DNSSEC data with
> EDNS0 DO flag, systemd-resolved refuses to give it? Does dig
> +trace/+dnssec fail to work with it?

The answer to a EDNS0 query does not contain any DNSSEC data even if
the DO bit is set.  The data in the additional section of such
responses seems to be corrupted (dig reports parse errors).  The CD
flag in the query is apparently ignored.

(I still need to investigate the details, sorry.)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.