Re: [dane] An AD bit discussion
Andreas Schulze <sca@andreasschulze.de> Wed, 26 February 2014 19:42 UTC
Return-Path: <sca@andreasschulze.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6AB51A0117 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAK0z0tO9-vO for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:42:22 -0800 (PST)
Received: from mout.andreasschulze.de (mout.andreasschulze.de [IPv6:2001:1608:12:1:8ead:7d6c:3132:6a07]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8931A0164 for <dane@ietf.org>; Wed, 26 Feb 2014 11:42:19 -0800 (PST)
X-Received: line deleted by mout
X-Received: line deleted by mout
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andreasschulze.de; s=J4bWGJQcBmxMQ; t=1393443733; bh=o+rgFUtLTcN+6bHz+dbgbwA1ukxOo9viUGL/PWINYmk=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=IOSUPj7QaML3xhfCgKwrAnuNXZsKu3YfPWeUd2D1FCcdFf0i0/pbW4HvuA/EPHRH7 TBgHz2EG4J17HmjaMlb6bEwvot2xXSTmUonZ7MM+/VT0QJCEfeEHXlNdtSvGC2qqcr S0Z/EYUkg90DLVucfP0p3Li7OIC0c2V2kkrj5Ta8haq3kAfkli5TE0EtDjwPf72Un5 TYLe8q+bm/d6RpNQTR+/tMZmiY27+hOw2uOZaHcLX4+zAcVLxKTDKPp3mRIdu24omo z7hAPHl/D+9KIv9a0m3DIYdIr2bgWYaUktuK9oRnWb7MSSugcBnSoBAKPYhaQpcwKD 4mjzmDcFwE+3sPBTaPEyk1aXr1N7xhtklxNAuFZHMlvg4uQXABja7duoRH8xqto8z9 x3QECDRw4H2X2LDgc+z+uatFdgSAOqOutDGaXGd5XpOBkda2/ZZP0vWoVOqn3BRkXH Zd1IBskqQG+uC+VDeK2iHw7stVNd81BCzI4aD+K+9JVqjc/qcMKQLrrTs3O/deMcCo PGJlV2J7rgASguR1QRmXGiyM4Wo14lSQ8z9V6F5HpFRkGQ/0dVddLVqKaMuR0dA9JR 88H+jA8sh7oiEsKIPpWavsy+7OgQo+QZhTZwF7s/KspKXL9Pml8T8oesjJ4WrOwZKY MFd8G91yg2X7CN5T7ScXTMhg=
X-Received: line deleted by mout
Date: Wed, 26 Feb 2014 20:42:09 +0100
From: Andreas Schulze <sca@andreasschulze.de>
To: Paul Wouters <paul@nohats.ca>
Message-ID: <20140226194208.GA19694@solar.andreasschulze.de>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca>
X-GPG-Key-ID: 0xA7DBA67F
X-GPG-Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F
X-GPG-Public-Key: http://9645f8.dyndns.org/a7dba67f.asc
X-Location: Germany, Earth
User-Agent: mutt
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3zDwbObgjMWao4q03Qhnuv02H-g
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 19:42:25 -0000
Paul Wouters: > I'm currently aware of two (non-dns utilities) applications that make > security decisions based on "blindly" trusting the AD bit: ssh with > VerifyHostKeyDNS=yes|ask and Postfix. opendkim could be linked with libunbound too to mark a dkim key fetched for validation as "secured" or "nonsecured" > libreswan and strongswan are examples of applications that use libunbound > for in-application DNSSEC validation to avoid needing to trust > /etc/resolv.conf DNS servers for the AD bit. opendkim too... Upon validation DKIM public keys are fetched freom DNS and the validation result is part of the Authentication-Results header. But there is no further policy decision made. > 4 In the ideal world tomorrow, each host has its own automatically > configured, perfectly working validing DNS server and resolv.conf can > be ignored or is always hardcoded with nameserver 127.0.0.1 Oh, I'm near your ideal world since years :-) $ cat /etc/resolv.conf nameserver ::1 Andreas
- Re: [dane] An AD bit discussion Paul Wouters
- [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Ondřej Surý
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Olafur Gudmundsson
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Wiley, Glen
- Re: [dane] An AD bit discussion James Cloos
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andreas Schulze
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion (correction) Petr Spacek
- Re: [dane] An AD bit discussion (+concerns from g… Petr Spacek
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion (+concerns from g… Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- [dane] Proposal: AD bit handling in stub-resolver… Petr Spacek
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] Proposal: AD bit handling in stub-reso… Viktor Dukhovni
- Re: [dane] An AD bit discussion Florian Weimer
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek