educare:dnsutils
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
educare:dnsutils [2020/06/08 22:20] – external edit 127.0.0.1 | educare:dnsutils [2020/07/21 12:21] – profpro | ||
---|---|---|---|
Line 6: | Line 6: | ||
nslookup | nslookup | ||
+ | |||
+ | < | ||
+ | Starting with glibc 2.31, the DNS stub resolver does not blindly trust the | ||
+ | AD (authenticated data) flag, indicating a DNSSEC validation: | ||
+ | | ||
+ | - By default the name servers and the network path to them are treated as | ||
+ | untrusted. In this mode, the AD flag is not set in queries, and it is | ||
+ | automatically cleared in responses, indicating a lack of DNSSEC | ||
+ | validation. | ||
+ | |||
+ | - A new trust-ad option, set via the options directive in / | ||
+ | (or if RES_TRUSTAD is set in _res.options), | ||
+ | server is trusted. In this mode, the AD bit, as provided by the name | ||
+ | server, is made available to the applications. | ||
+ | |||
+ | Therefore if you trust your name servers, for example because you use a | ||
+ | locally running validating resolver (e.g. unbound, systemd-resolved or | ||
+ | dnsmasq), you might want to add the following line to / | ||
+ | |||
+ | options trust-ad | ||
+ | |||
+ | </ |
educare/dnsutils.txt · Last modified: 2023/06/14 10:44 by profpro