To:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Cc:
dnsop@cafax.se
From:
Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date:
Mon, 14 Oct 2002 11:02:56 +0200
Content-Disposition:
inline
In-Reply-To:
<200210112056.g9BKuSqL031026@marajade.sandelman.ottawa.on.ca>
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.3.28i
Subject:
Re: the call for bind software
On Fri, Oct 11, 2002 at 04:56:27PM -0400, Michael Richardson <mcr@sandelman.ottawa.on.ca> wrote a message of 68 lines which said: > As an non-DNS developer (a customer of the domain name service), I am > suffering from the problem that the only real API that anyone knows about is > gethostbyname(3)... <troll> You mean getaddrinfo(3)? </troll> We could just add an error code: EAI_NOAUTH DNS records not authentified EAI_INVALAUTH DNS authentication failed (invalid or corrupted signature) With an option in /etc/resolv.conf to express if you want only signed records or not. But I'm certain it has already been discussed by DNSSEC people. Check archives. > 1) was it signed at all? See above. > 2) how far am is this data from an axiomatic key? More complicated issue :-( > 3) even though some of the signatures may have expired, and it might be > that the servers are not reachable to update them, I would still like > to get the data if the signatures continue to check out. I want the > degraded security to be visible of course! Again for the audit log. This is starting to look complicated. I suggest to add a new function, only for that level of security. #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.