Archive Index This month's Index

Subject: non-validating dnssec in c-ares

non-validating dnssec in c-ares

From: Nikos Mavrogiannopoulos <>
Date: Wed, 18 Jun 2014 10:58:42 +0200

 Few days ago I posted a pull request that adds non-validating dnssec
support in C-ares [0]. Non-validating means that it depends on the
validation performed on the upstream server, and for that reason there
should be a way to specify which servers are trusted for that (e.g., the
validating server running in localhost, or on the host outside the
container, but not the dns server obtained from the hotel dhcp).

Currently the difficulty is that there are no configuration options for
that in resolv.conf; I've added a new one in the patched
(trusted-nameserver), but I've noticed that in many systems resolv.conf
is replaced completely by vpn programs or dhcp clients. What do you
think would be a good approach for c-ares to do to find such servers?
Should that patch go on on even if there is not support for the new
approach in other libraries (like glibc's resolver)?


PS. I've also started a discussion in glibc [1], but it doesn't seem it
is going anywhere.

Received on 2014-06-18