Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't enable DNSSEC by default in -resolver. #268

Merged
merged 2 commits into from Oct 26, 2017
Merged

Don't enable DNSSEC by default in -resolver. #268

merged 2 commits into from Oct 26, 2017

Conversation

briansmith
Copy link
Contributor

It is too easy for a library to accidentally add an OpenSSL dependency
through Trust-DNS by using Trust-DNS without disabling the default
features. This is especially bad because a library that hasn't
consciously chosen what to do about DNSSEC won't provide any APIs for
controlling if DNSSEC is used or how to configure its use (e.g.
configuring trust anchors).

The same applies to the ipconfig configure.

Resolve both by defaulting to not having these features.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.02%) to 87.384% when pulling 6de873b on briansmith:no-default-dnssec into 1ff7b96 on bluejekyll:master.

@bluejekyll
Copy link
Member

I worry about the ipconfig part. On Win64 this is necessary for nameserver configuration based on the system. Won't this make configuration of DNS more difficult in that environment?

I agree about getting rid of the default dependency on OpenSSL and DNSSec.

@briansmith
Copy link
Contributor Author

On Win64 this is necessary for nameserver configuration based on the system. Won't this make configuration of DNS more difficult in that environment?

I will pull the ipconfig part out of the PR.

@bluejekyll bluejekyll self-requested a review October 26, 2017 02:03
@briansmith
Don't enable DNSSEC by default in -resolver.
af6bfc4 
It is too easy for a library to accidentally add an OpenSSL dependency
through Trust-DNS by using Trust-DNS without disabling the default
features. This is especially bad because a library that hasn't
consciously chosen what to do about DNSSEC won't provide any APIs for
controlling if DNSSEC is used or how to configure its use (e.g.
configuring trust anchors).

Resolve both by defaulting to not having DNSSEC by default.
@briansmith briansmith changed the title Don't enable DNSSEC or ipconfig by default in -resolver. Don't enable DNSSEC by default in -resolver. Oct 26, 2017
@briansmith briansmith mentioned this pull request Oct 26, 2017
Closed
@coveralls
Copy link

Coverage Status

Coverage increased (+0.02%) to 87.384% when pulling af6bfc4 on briansmith:no-default-dnssec into 1ff7b96 on bluejekyll:master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.02%) to 87.307% when pulling 4a22161 on briansmith:no-default-dnssec into 5ad51b4 on bluejekyll:master.

@bluejekyll bluejekyll merged commit 076d10f into hickory-dns:master Oct 26, 2017
@briansmith briansmith deleted the no-default-dnssec branch October 30, 2017 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluejekyll bluejekyll bluejekyll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@briansmith @coveralls @bluejekyll