Date: Sun, 03 May 2020 19:19:54 +0200 From: Florian Weimer <fw@...eb.enyo.de> To: Rich Felker <dalias@...c.org> Cc: musl@...ts.openwall.com Subject: Re: TCP support in the stub resolver * Rich Felker: > Normally applications don't want to do their own DNSSEC validation, > just get back a valid AD flag indicating that the trusted nameserver > did it, and AIUI it works with systemd-resolved, but indeed with a > non-broken nameserver it should still be possible for the application > to do it. Are you saying that, if you request full DNSSEC data with > EDNS0 DO flag, systemd-resolved refuses to give it? Does dig > +trace/+dnssec fail to work with it? The answer to a EDNS0 query does not contain any DNSSEC data even if the DO bit is set. The data in the additional section of such responses seems to be corrupted (dig reports parse errors). The CD flag in the query is apparently ignored. (I still need to investigate the details, sorry.)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.