feature request: modify getrrsetbyname() to use libunbound

Robert Story rstory at tislabs.com
Thu May 10 08:11:00 EST 2012


On Wed, 9 May 2012 18:56:08 +0000 Luca wrote:
LF> > Yes, which is why we prefer our DNSSEC-Tools libval patch, which
LF> > always does local validation and does not depend on the AD flag.
LF> > 
LF> > 	https://bugzilla.mindrot.org/show_bug.cgi?id=1672  

I just updated the patch for 6.0p1, in case anyone is interested in trying
it.

LF> (2) make use of Robert's DNSSEC-Tools-based implementation; could the
LF> DNSSEC-Tools-specific implementation be moved from verify_host_key_dns()
LF> to getrrsetbyname()?  

We wanted to have the lowest impact possible, and only do DNSSEC for
verifying sshfp records. If upstream is willing to accept optional
validation of all records, we could do that too.



Robert

--
Senior Software Engineer
SPARTA, Inc., a Parsons Company

[signature.asc  application/pgp-signature (198 bytes)] 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120509/ef35fd5d/attachment.bin>


More information about the openssh-unix-dev mailing list