Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft support DNSSEC + DANE #16

Closed
wants to merge 4 commits into from
Closed

Draft support DNSSEC + DANE #16

wants to merge 4 commits into from

Conversation

nmav
Copy link

@nmav nmav commented Jun 12, 2014

This series of patches adds support for DNSSEC + parsing of DANE structures.

Changes:

  • To add support for sending a query that will set the flags needed by dnssec I had to add the new ares_create_query2().
  • To determine the servers to use when dnssec is requested, it uses /etc/resolv-sec.conf, to avoid issues with programs overwritting the existing resolv.conf (e.g., vpn or dhcp servers).

Nikos Mavrogiannopoulos added 4 commits June 12, 2014 10:14
Added support for sending a DNSSEC query.
880b34b 
That adds the ARES_FLAG_DNSSEC flag, which enables
the extensions needed for the server to send a DNSSEC
reply.
Added the flag ARES_FLAG_REQUIRE_DNSSEC
a788da0 
That flag ensures that if DNSSEC is not used in the reply, and
the AD bit is not set, then the query will fail with ARES_ENODNSSEC.
Added support for parsing TLSA RRs
018b3fa 
This adds ares_parse_tlsa_reply().
When the ARES_FLAG_DNSSEC is specified, use the nameservers that are …
3869111 
…tagged as trusted.

The trusted nameservers are read from PATH_RESOLV_SEC_CONF which
is /etc/resolv-sec.conf in Linux. That file is assumed to have the
same format as /etc/resolv.conf and contain all the trusted for
DNSSEC nameservers.
@spacekpe
Copy link

Please note that this approach is being discussed on libc-alpha list: https://sourceware.org/ml/libc-alpha/2014-06/msg00512.html

Currently there is no definitive decision about configuration file format so there is some risk of creating incompatibilties between various resolver libraries.

@nmav
Copy link
Author

nmav commented Aug 11, 2014

Indeed there was some discussion in libc-alpha, but it was never concluded. To be honest the libc API is unsuitable for DNSSEC as it has too much of global state that would require an application to either use DNSSEC or not. That is unsuitable for libraries, so I question how much relevant is libc for a dnssec API. Indeed they are the primary user of resolv.conf but I don't believe that the deployment of DNSSEC in unrelated libraries should be blocked indefinetely until libc-alpha makes a decision.

@nmav nmav closed this Sep 5, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nmav @spacekpe