dns resolver does not support dnssec
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
RES_USE_DNSSEC is not defined in /usr/include/
I've attached a pcap file with three queries. The first is generated by DIG, and shows that the server is authenticating data when requested. The second and third were generated by OpenSSH. I note that the first and third queries appear to be identical except for the port number and request ID; from the trace I cannot see why the server authenticated the first response, but not the second.
Anyway, this is a security issue for those of us who rely on DNSSEC.
Changed in glibc: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
tags: | added: dnssec |
tags: | added: dns |
tags: | added: patch-needswork |
tags: |
added: patch removed: patch-needswork |
Here's one for the wishlist:
This patch allows applications to set the RES_USE_DNSSEC resolver option, so that the resolver adds DO=1 in EDNS0 queries. EDNS0 needs to be enabled with RES_USE_EDNS0 or "options edns0" in /etc/resolv.conf
It does not include any form of DNSSEC validation.
This patch also adds "options dnssec-ok" for /etc/resolv.conf, though it should be used only when really needed.
More words here: bd.hauke- lampe.de/ dnssec/ adding- res_use_ dnssec- to-glibc. html
http://