resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them - ~lukeshu/systemd - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Lennart Poettering <lennart@poettering.net>	2016-01-05 22:13:56 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-05 22:13:56 +0100
commit	d33b6cf343f5a1e073c3060878d2cc5fed54d150 (patch)
tree	815e916b2e147681b2eb532322703d3bd365c989 /.vimrc
parent	105f6c4bdcdd9c7233370f1bc143913d5ab0d099 (diff)

resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them

This adds logic to detect cases like the Fritz!Box routers which serve a private DNS domain "fritz.box" under the TLD "box" that does not exist in the root servers. If this is detected DNSSEC validation is turned off for this private domain, thus improving compatibility with such private DNS zones. This should be fairly secure as we first rely on the proof that .box does not exist before this logic is applied. Nevertheless the logic is only enabled for DNSSEC=allow-downgrade mode. This logic does not work for routers that set up a full DNS zone directly under a non-existing TLD, as in that case we cannot prove that the domain is truly non-existing according to the root servers.

Diffstat (limited to '.vimrc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: