[dns-operations] DNS at FOSDEM 2016

Florian Weimer fw at deneb.enyo.de
Fri Feb 5 19:59:31 UTC 2016


* Sara Dickinson:

>> On 4 Feb 2016, at 12:00, Paul Wouters <paul at nohats.ca> wrote:
>> 
>> On Wed, 3 Feb 2016, Robert Edmonds wrote:
>> 
>>> Maybe a "getdns daemon" would be an interesting hackathon project, and
>>> maybe even a "getdns NSS module".
>> 
>> https://github.com/getdnsapi/libnss_getdns

> There are serious thoughts about doing a hackathon project (at the
> next IETF) to use what was learned from this prototype and explore
> this avenue further. If there is interest in this please let me
> know.

I had a quick look, and the NSS service module compiled
--with-context-proxy is likely insecure (in the sense that it enables
local privilege escalation).  The reason is that NSS service modules
are loaded by many SUID binaries, and some of the getdns dependencies
(OpenSSL in particular) have not been designed for this scenario.

Florian



More information about the dns-operations mailing list