From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from brightrain.aerifal.cx (brightrain.aerifal.cx [216.12.86.13]) by sourceware.org (Postfix) with ESMTPS id F3EB3382E80B for ; Thu, 4 Mar 2021 14:55:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org F3EB3382E80B Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=libc.org Authentication-Results: sourceware.org; spf=none smtp.mailfrom=dalias@libc.org Date: Thu, 4 Mar 2021 09:55:04 -0500 From: Rich Felker To: Florian Weimer Cc: JFLF via Libc-alpha , JFLF Subject: Re: Un-deprecating nss_hesiod? Message-ID: <20210304145504.GM32655@brightrain.aerifal.cx> References: <875z2bhzll.fsf@oldenburg.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <875z2bhzll.fsf@oldenburg.str.redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2021 14:55:08 -0000 On Mon, Mar 01, 2021 at 12:39:50PM +0100, Florian Weimer via Libc-alpha wrote: > * JFLF via Libc-alpha: > > > This is a very valid concern, but hasn't DNSSEC been implemented in > > the glibc resolver in 2019? If so, doesn't that make this point moot? > > The glibc stub resolver is still non-validating. And everyone needs to be running a dnssec-validating (which gives you caching for free, too) nameserver on localhost. Validation does not belong in glibc, but glibc should be pushing distros to ship with a default, out of the box configuration that makes this safe unless the user explicitly overrides/refuses it. Rich