From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jflf-gitlab@outlook.com>
Received: from EUR01-VE1-obe.outbound.protection.outlook.com
 (mail-oln040092066072.outbound.protection.outlook.com [40.92.66.72])
 by sourceware.org (Postfix) with ESMTPS id 6A8403971C00
 for <libc-alpha@sourceware.org>; Thu, 25 Feb 2021 20:30:49 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 6A8403971C00
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=n/JJYHMbvofyiuviTSyOQMvYG41ZIGdhYQaxCpsCoNwNEH5c1glYRUwDU37N68z2e077U/laZU8Fv25nFwYU3kRBmHO80z6pemzKW8VIgzd5D1dtzLf+biD39KK7Lp/H7jYt2071thRcdCE6S2hVPsNgZbMjogdGOuRaSCM1kIbPO7qjC87YI8KYME9lRWxMPDodtdvMPs6K14TZLIY4wiDvLum0+ddY283PYOQz6f9Pv+FON78w8I0Vl9dlFo1bGm0wVpzgvdjp5hV2hjJ4I9qHCCNvCROYSKPdo4sBd+sQT3HVO3K9LaGSJSQxQV+9kHIswqHFo2+KciTIOk0k3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=tawYVJDDZRCOY9x49B/PHbXYLWKIbB/GXKyOJMvPsY4=;
 b=hNHDMukskb5dzfhgdwfkAq5E4HTQDL8N6F0Smosjp7KDskUaC3MTlDsRYMKuXnhMY8Mq+yXgm02zdc1fFndzEOO9No85STpONEAXQzAbkza3ttM9LHVWqLAtKYBzrt6nk8FQCBfB7kQeX7YYLNcdKtUxUsfLjQQJEMcWfFwhlsB4cichiXIQR++rMKygBEDIm9SOAmb8R8GLrtW2xry4kzr0kfCrc0nunBqq8Lh2onSUBzqIMPYhuFaUA1JXZyyQ6j1V2uEDU/qEdnAxLp71hRsvwLHqbTbxYOoQh/ThVaFhwLd/toYseXl/gLXZTyEA7YT08PYEh+kwDZDtbDHy4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
Received: from HE1EUR01FT040.eop-EUR01.prod.protection.outlook.com
 (2a01:111:e400:7e18::48) by
 HE1EUR01HT199.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e18::441)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Thu, 25 Feb
 2021 20:30:47 +0000
Received: from VI1PR04MB7101.eurprd04.prod.outlook.com
 (2a01:111:e400:7e18::4b) by HE1EUR01FT040.mail.protection.outlook.com
 (2a01:111:e400:7e18::328) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19 via Frontend
 Transport; Thu, 25 Feb 2021 20:30:47 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:54D4E48E16B6CF8550E02774246AB9ECAE6E55012452756980EE9BB67F48AE19;
 UpperCasedChecksum:9442181D8F1C3678DD788D75C8E343B7ED125ED81921AA181DBAD5E39E0A01CD;
 SizeAsReceived:8449; Count:45
Received: from VI1PR04MB7101.eurprd04.prod.outlook.com
 ([fe80::d42d:8b1:f674:5b4f]) by VI1PR04MB7101.eurprd04.prod.outlook.com
 ([fe80::d42d:8b1:f674:5b4f%5]) with mapi id 15.20.3890.021; Thu, 25 Feb 2021
 20:30:47 +0000
To: libc-alpha@sourceware.org
From: JFLF <jflf-gitlab@outlook.com>
Subject: Un-deprecating nss_hesiod?
Message-ID: <VI1PR04MB7101E1C85BD072F270E9CD18819E9@VI1PR04MB7101.eurprd04.prod.outlook.com>
Date: Thu, 25 Feb 2021 21:30:45 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TMN: [mGba2Ohjbx9PfX8zLY/G95D7znSmVUnP]
X-ClientProxiedBy: AM9P193CA0024.EURP193.PROD.OUTLOOK.COM
 (2603:10a6:20b:21e::29) To VI1PR04MB7101.eurprd04.prod.outlook.com
 (2603:10a6:800:12e::15)
X-Microsoft-Original-Message-ID: <fdd11922-e395-bcf6-4dd0-d560e468829a@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.9.216] (94.220.104.69) by
 AM9P193CA0024.EURP193.PROD.OUTLOOK.COM (2603:10a6:20b:21e::29) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.3890.19 via Frontend Transport; Thu, 25 Feb 2021 20:30:47 +0000
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 45
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: ba1359e9-acb2-4efb-b351-08d8d9cc3bef
X-MS-TrafficTypeDiagnostic: HE1EUR01HT199:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iZFjFm8QuQEnJeLrHfW3DpfItl5tZgBPA5ZBNKxpGizmInVfrOsLAmIxnu6D26tA7wvhTLbx/Tnbr+3oAmftLOUC/QwRoEUVSdsTn9VRRsM9vz67sc+jFtEoNiU0vJhpJufc+l4yE2WtSpJ6d4Mn/QfvBuJUGS4zHa/vE0VwbjUB2XxKdr54iorGltRQvhzyL/sfaNWQS/Z3lAruobNuJu3mFK1nIZtZKOLzEKO1Gt/SOzFT85H4QWZTvy+nhQp18ggMnJrKh9XISNm+f8BYvh2zMtuR9U93zBxkRT6HOGSAp+vqw4quNNSLNasaPkFAdWz4AQ/yhYq/DC1DLk7QjSEH4VwDrY0/Sp5ZZ0fOEw7DrzpUW28oZYQa5YOSLA+b8AlFfMotUdq5o4uqR+82VQ==
X-MS-Exchange-AntiSpam-MessageData: fDrGMk6hix3MG4MTz6sPGWMuWAy6WYbqeeCYzguw/BMzGeLXczHslPD112Sb7vxt+nr1NtWGdV9Ys+vtbXXuMhkKxxxqfik4Q16zIWrGOWWDaQzmZKJedAorPtt0zhJ1YuR1AYz47srVR9/eoSLVWw==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ba1359e9-acb2-4efb-b351-08d8d9cc3bef
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2021 20:30:47.7265 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource: HE1EUR01FT040.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT199
X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FORGED_MUA_MOZILLA, FREEMAIL_FROM,
 MSGID_FROM_MTA_HEADER, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.2
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 20:30:50 -0000


Dear all,

Apologies for not participating last July when that topic was brought up, but I don't follow the glibc development closely.

>From what I could find, the deprecation of nss_hesiod was justified with the following message:

> Storing user databases in DNS, without client-side DNSSEC validation,
> is problematic from a security point of view.

This is a very valid concern, but hasn't DNSSEC been implemented in the glibc resolver in 2019? If so, doesn't that make this point moot?

Moreover, even without this Hesiod traffic can be secured to the clients via a local DNSSEC-validating forwarder, DNS-over-TLS or -HTTPS, etc. Thus the solutions to the lack of security of Hesiod (which it inherits from DNS) have existed for a while, and the responsibility for deploying them rests with the admin (just like LDAP). Unsecured Hesiod isn't less secure than the alternatives (NIS or unsecured LDAP), which haven't been deprecated.

I am aware that RedHat has deprecated Hesiod in RHEL 7, possibly for support reasons. But there is still a small community of people using Hesiod, and a lot of small deployments and use cases for which the complexity of LDAP isn't justified. Also, if you based your decision on the lack of bug reports about Hesiod, you should rejoice: it just works! Nss_hesiod works perfectly fine.

So as long as it doesn't affect anything else, may I ask you to consider un-deprecating nss_hesiod?

Thanks!
JF