cloud-init team mailing list archive
Mailing list archive
Re: Handling the trust-ad resolver option in glibc 2.31+
Thanks for your email!
On Fri, Apr 17, 2020 at 07:27:53PM +0200, Florian Weimer wrote:
> glibc 2.31 has support for recognizing that the name servers listed in
> /etc/resolv.conf are reached over a trusted network path and implement
> DNSSEC correctly (but do not necessarily perform validation):
> * The DNS stub resolver will optionally send the AD (authenticated data) bit
> in queries if the trust-ad option is set via the options directive in
> /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options). In this
> mode, the AD bit, as provided by the name server, is available to
> applications which call res_search and related functions. In the default
> mode, the AD bit is not set in queries, and it is automatically cleared in
> responses, indicating a lack of DNSSEC validation. (Therefore, the name
> servers and the network path to them are treated as untrusted.)
> I think cloud-init needs a way to propagate this information the
> instance data injection.
I don't think I fully understand what "this information" is in this
sentence. Could you expand a little on what you mean here?
> It may make sense to set trust-ad by default for certain injection
> methods, but I am not sure. In order to get the desired AD bit
> semantics, two things are required:
> * When sending and receiving packets to the addresses indicated in
> /etc/resolv.conf, the communication must happen with the DNS
> resolver on these IP addresses.
I'm not 100% sure I understand this requirement, could you perhaps
cloud-init has a module for configuring /etc/resolv.conf,
cc_resolv_conf. It has generic support for passing in "options", so
I don't believe any specific work would be required for users to specify
Description: PGP signature