feature request: modify getrrsetbyname() to use libunbound
Ondřej Caletka
ondrej at caletka.cz
Wed May 9 20:44:13 EST 2012
Dne 9.5.2012 11:30, Luca Filipozzi napsal(a):
>
> It's sufficient to add "anchor /path/to/root.key" to /etc/resolv.conf.
Wow, thanks for pointing it out, I didn't know about this ldns feature.
Maybe there should be some note in the documentation.
There is only one pitfall. The autonomous validation is attempted only
if the DNS response does not contain the AD flag. Therefore if someone
changes the DNS response on the wire and leaves the AD flag set,
spurious data are trusted without further validating. This is not
secure, as link between computer and DNS resolver cannot be generally
trusted.
Regards,
Ondřej Caletka
More information about the openssh-unix-dev
mailing list