Re: Building consensus over DNSSEC enhancements to glibc.
[Posted November 17, 2015 by corbet]
| From: |
| Paul Wouters <pwouters-AT-redhat.com> |
| To: |
| "Carlos O'Donell" <carlos-AT-redhat.com>, Petr Spacek <pspacek-AT-redhat.com>, libc-alpha-AT-sourceware.org |
| Subject: |
| Re: Building consensus over DNSSEC enhancements to glibc. |
| Date: |
| Mon, 16 Nov 2015 18:40:24 +0900 |
| Message-ID: |
| <5649A488.6090605@redhat.com> |
| Cc: |
| Simo Sorce <simo-AT-redhat.com> |
On 11/14/2015 01:22 PM, Carlos O'Donell wrote:
> On 11/06/2015 04:42 AM, Petr Spacek wrote:
>> The proposed AD bit stripping was an easy and cheap way to do this at one
>> place in the system, with central configuration, which would allow us to
>> eliminate all kinds of weird re-implementations in applications.
>
> You have it.
>
> Use `options dns-strip-dnssec-ad-bit` until you have NetworkManager running
> with the right options and a local validating resolver.
>
> I agree with Rich Felker. You must not allow anything to change /etc/resolv.conf
> that isn't the master process (e.g. resolvconf in Ubuntu) which is in charge of
> policy.
That is not a realistic policy. If such a policy resulted in workable systems, we would
have selinuxed the shit out of /etc/resolv.conf to make sure no one could ever edit it.
People too often depend on other processes (vpn clients, puppet, ansible and what not) that
requires them (for stupid reasons we will keep telling them to fix) to change resolv.conf.
Paul
