[PATCH] resolv.conf.5: DESCRIPTION: Mention that the data is trusted.

[PATCH] resolv.conf.5: DESCRIPTION: Mention that the data is trusted.

[Carlos O'Donell]

In a recent discussion about DNSSEC it was brought to my
attention that not all system administrators may understand
that the information in /etc/resolv.conf is fully trusted.
The resolver implementation in glibc treats /etc/resolv.conf
as a fully trusted source of DNS information and passes on
the AD-bit for DNSSEC as trusted.

Would it be possible to add a clarifying setence to the
man page for resolv.conf.5 to make it absolutely clear that
indeed this source of information is trusted?

Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5
index f398724..2dfccdf 100644
--- a/man5/resolv.conf.5
+++ b/man5/resolv.conf.5
@@ -35,6 +35,9 @@ The resolver configuration file contains information that is read
 by the resolver routines the first time they are invoked by a process.
 The file is designed to be human readable and contains a list of
 keywords with values that provide various types of resolver information.
+The configuration file is considered a trusted source of DNS information
+e.g. DNSSEC AD-bit information will be returned unmodified from these
+sources.
 .LP
 If this file does not exist,
 only the name server on the local machine will be queried;
---

Cheers,
Carlos.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] resolv.conf.5: DESCRIPTION: Mention that the data is trusted.

[Michael Kerrisk (man-pages)]

On 02/19/2014 12:09 AM, Carlos O'Donell wrote:
> In a recent discussion about DNSSEC it was brought to my
> attention that not all system administrators may understand
> that the information in /etc/resolv.conf is fully trusted.
> The resolver implementation in glibc treats /etc/resolv.conf
> as a fully trusted source of DNS information and passes on
> the AD-bit for DNSSEC as trusted.
> 
> Would it be possible to add a clarifying setence to the
> man page for resolv.conf.5 to make it absolutely clear that
> indeed this source of information is trusted?
> 
> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> 
> diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5
> index f398724..2dfccdf 100644
> --- a/man5/resolv.conf.5
> +++ b/man5/resolv.conf.5
> @@ -35,6 +35,9 @@ The resolver configuration file contains information that is read
>  by the resolver routines the first time they are invoked by a process.
>  The file is designed to be human readable and contains a list of
>  keywords with values that provide various types of resolver information.
> +The configuration file is considered a trusted source of DNS information
> +e.g. DNSSEC AD-bit information will be returned unmodified from these
> +sources.
>  .LP
>  If this file does not exist,
>  only the name server on the local machine will be queried;

Carlos,

Thanks. I've applied this, but made one small change. You wrote plural "these
sources", but the context seems to indicate a singular is required, so I 
changed it to "this source". Okay?

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] resolv.conf.5: DESCRIPTION: Mention that the data is trusted.

[Carlos O'Donell]

On 02/22/2014 03:57 AM, Michael Kerrisk (man-pages) wrote:
> On 02/19/2014 12:09 AM, Carlos O'Donell wrote:
>> In a recent discussion about DNSSEC it was brought to my
>> attention that not all system administrators may understand
>> that the information in /etc/resolv.conf is fully trusted.
>> The resolver implementation in glibc treats /etc/resolv.conf
>> as a fully trusted source of DNS information and passes on
>> the AD-bit for DNSSEC as trusted.
>>
>> Would it be possible to add a clarifying setence to the
>> man page for resolv.conf.5 to make it absolutely clear that
>> indeed this source of information is trusted?
>>
>> Signed-off-by: Carlos O'Donell <carlos-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>>
>> diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5
>> index f398724..2dfccdf 100644
>> --- a/man5/resolv.conf.5
>> +++ b/man5/resolv.conf.5
>> @@ -35,6 +35,9 @@ The resolver configuration file contains information that is read
>>  by the resolver routines the first time they are invoked by a process.
>>  The file is designed to be human readable and contains a list of
>>  keywords with values that provide various types of resolver information.
>> +The configuration file is considered a trusted source of DNS information
>> +e.g. DNSSEC AD-bit information will be returned unmodified from these
>> +sources.
>>  .LP
>>  If this file does not exist,
>>  only the name server on the local machine will be queried;
> 
> Carlos,
> 
> Thanks. I've applied this, but made one small change. You wrote plural "these
> sources", but the context seems to indicate a singular is required, so I 
> changed it to "this source". Okay?

I wrote "sources" because the singular /etc/resolv.conf may have
between 1 and 3 DNS servers listed as the source or sources of
trusted DNS information. What you wrote is perfectly fine though,
the point is to get across that this is at present a trusted source
of information that NetworkManager and other tools should treat
as trusted. If you don't trust the DNS server or DHCP then you need
to take other drastic measures.

Cheers,
Carlos.

--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html