Carlos O'Donell - Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is en (original) (raw)
This is the mail archive of the libc-alpha@sourceware.orgmailing list for the glibc project.
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
| Other format: | [Raw text] |
- From: "Carlos O'Donell"
- To: Florian Weimer , Siddhesh Poyarekar , libc-alpha at sourceware dot org
- Date: Mon, 23 Feb 2015 10:30:09 -0500
- Subject: Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- Authentication-results: sourceware.org; auth=none
- References: <20150219190506 dot GA20188 at spoyarek dot pnq dot redhat dot com> <54E6EC01 dot 1060906 at redhat dot com> <54E77E75 dot 7050609 at redhat dot com> <54EAFF14 dot 3010203 at redhat dot com> <54EB4074 dot 9080406 at redhat dot com> <54EB415B dot 50303 at redhat dot com>
On 02/23/2015 10:03 AM, Florian Weimer wrote:
It was introduced to a specific failure case spotted with the first installment of DNSSEC.
But the same bit was reused for the second installment of DNSSEC, which was totally unrecognizable to implementations of the earlier DNSSEC variant. From their point of view, it could have been something else entirely, they wouldn't know that it was still called DNSSEC.
DO is generally thought of as “DNSSEC supported”, so you are right, but in practice, it just means, “you can send me properly formatted resource records along with the answer which bear no relationship to the query, and I will still pick out those records I'm interested in”.
Just to be clear, you mean to say:
The DO bit was reused in DNSSECbis.
DNSSECbis itself is changed significantly from DNSSEC.
- Uses new RRs.
- Should not confuse NSEC3-unaware resolvers.
- Should not cause NSEC-aware resolvers to mark NSEC3-aware systems from being marked as invalid signatures.
The semantics of the DO bit remain roughly the same.
The DO bit can continue to be used as expected.
I agree with all of those points. Perhaps my confusion was that you wrote "totally unrecognizable" which I interpreted to mean that you were saying the DO bit had somehow changed semantics.
Cheers, Carlos.
- Follow-Ups:
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Florian Weimer
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
- References:
- [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Siddhesh Poyarekar - Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Florian Weimer - Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Carlos O'Donell - Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Florian Weimer - Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Carlos O'Donell - Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
* From: Florian Weimer
- [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
| Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
|---|---|---|
| Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |