Re: [dane] An AD bit discussion

Andreas Schulze <sca@andreasschulze.de> Wed, 26 February 2014 19:42 UTC

Return-Path: <sca@andreasschulze.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6AB51A0117 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Level:
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAK0z0tO9-vO for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:42:22 -0800 (PST)
Received: from mout.andreasschulze.de (mout.andreasschulze.de [IPv6:2001:1608:12:1:8ead:7d6c:3132:6a07]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8931A0164 for <dane@ietf.org>; Wed, 26 Feb 2014 11:42:19 -0800 (PST)
X-Received: line deleted by mout
X-Received: line deleted by mout
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andreasschulze.de; s=J4bWGJQcBmxMQ; t=1393443733; bh=o+rgFUtLTcN+6bHz+dbgbwA1ukxOo9viUGL/PWINYmk=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=IOSUPj7QaML3xhfCgKwrAnuNXZsKu3YfPWeUd2D1FCcdFf0i0/pbW4HvuA/EPHRH7 TBgHz2EG4J17HmjaMlb6bEwvot2xXSTmUonZ7MM+/VT0QJCEfeEHXlNdtSvGC2qqcr S0Z/EYUkg90DLVucfP0p3Li7OIC0c2V2kkrj5Ta8haq3kAfkli5TE0EtDjwPf72Un5 TYLe8q+bm/d6RpNQTR+/tMZmiY27+hOw2uOZaHcLX4+zAcVLxKTDKPp3mRIdu24omo z7hAPHl/D+9KIv9a0m3DIYdIr2bgWYaUktuK9oRnWb7MSSugcBnSoBAKPYhaQpcwKD 4mjzmDcFwE+3sPBTaPEyk1aXr1N7xhtklxNAuFZHMlvg4uQXABja7duoRH8xqto8z9 x3QECDRw4H2X2LDgc+z+uatFdgSAOqOutDGaXGd5XpOBkda2/ZZP0vWoVOqn3BRkXH Zd1IBskqQG+uC+VDeK2iHw7stVNd81BCzI4aD+K+9JVqjc/qcMKQLrrTs3O/deMcCo PGJlV2J7rgASguR1QRmXGiyM4Wo14lSQ8z9V6F5HpFRkGQ/0dVddLVqKaMuR0dA9JR 88H+jA8sh7oiEsKIPpWavsy+7OgQo+QZhTZwF7s/KspKXL9Pml8T8oesjJ4WrOwZKY MFd8G91yg2X7CN5T7ScXTMhg=
X-Received: line deleted by mout
Date: Wed, 26 Feb 2014 20:42:09 +0100
From: Andreas Schulze <sca@andreasschulze.de>
To: Paul Wouters <paul@nohats.ca>
Message-ID: <20140226194208.GA19694@solar.andreasschulze.de>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca>
X-GPG-Key-ID: 0xA7DBA67F
X-GPG-Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F
X-GPG-Public-Key: http://9645f8.dyndns.org/a7dba67f.asc
X-Location: Germany, Earth
User-Agent: mutt
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3zDwbObgjMWao4q03Qhnuv02H-g
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 19:42:25 -0000

Paul Wouters:
> I'm currently aware of two (non-dns utilities) applications that make
> security decisions based on "blindly" trusting the AD bit: ssh with
> VerifyHostKeyDNS=yes|ask and Postfix.
opendkim could be linked with libunbound too to mark a dkim key fetched for validation as "secured" or "nonsecured"

> libreswan and strongswan are examples of applications that use libunbound
> for in-application DNSSEC validation to avoid needing to trust
> /etc/resolv.conf DNS servers for the AD bit.
opendkim too...
Upon validation DKIM public keys are fetched freom DNS and the validation result
is part of the Authentication-Results header. But there is no further policy decision made.

> 4 In the ideal world tomorrow, each host has its own automatically
>   configured, perfectly working validing DNS server and resolv.conf can
>   be ignored or is always hardcoded with nameserver 127.0.0.1
Oh, I'm near your ideal world since years :-)

$ cat /etc/resolv.conf 
nameserver ::1

Andreas