Re: [dane] An AD bit discussion

Andreas Schulze <> Wed, 26 February 2014 19:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D6AB51A0117 for <>; Wed, 26 Feb 2014 11:42:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.199
X-Spam-Status: No, score=-2.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BAK0z0tO9-vO for <>; Wed, 26 Feb 2014 11:42:22 -0800 (PST)
Received: from ( [IPv6:2001:1608:12:1:8ead:7d6c:3132:6a07]) by (Postfix) with ESMTP id 0B8931A0164 for <>; Wed, 26 Feb 2014 11:42:19 -0800 (PST)
X-Received: line deleted by mout
X-Received: line deleted by mout
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=J4bWGJQcBmxMQ; t=1393443733; bh=o+rgFUtLTcN+6bHz+dbgbwA1ukxOo9viUGL/PWINYmk=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=IOSUPj7QaML3xhfCgKwrAnuNXZsKu3YfPWeUd2D1FCcdFf0i0/pbW4HvuA/EPHRH7 TBgHz2EG4J17HmjaMlb6bEwvot2xXSTmUonZ7MM+/VT0QJCEfeEHXlNdtSvGC2qqcr S0Z/EYUkg90DLVucfP0p3Li7OIC0c2V2kkrj5Ta8haq3kAfkli5TE0EtDjwPf72Un5 TYLe8q+bm/d6RpNQTR+/tMZmiY27+hOw2uOZaHcLX4+zAcVLxKTDKPp3mRIdu24omo z7hAPHl/D+9KIv9a0m3DIYdIr2bgWYaUktuK9oRnWb7MSSugcBnSoBAKPYhaQpcwKD 4mjzmDcFwE+3sPBTaPEyk1aXr1N7xhtklxNAuFZHMlvg4uQXABja7duoRH8xqto8z9 x3QECDRw4H2X2LDgc+z+uatFdgSAOqOutDGaXGd5XpOBkda2/ZZP0vWoVOqn3BRkXH Zd1IBskqQG+uC+VDeK2iHw7stVNd81BCzI4aD+K+9JVqjc/qcMKQLrrTs3O/deMcCo PGJlV2J7rgASguR1QRmXGiyM4Wo14lSQ8z9V6F5HpFRkGQ/0dVddLVqKaMuR0dA9JR 88H+jA8sh7oiEsKIPpWavsy+7OgQo+QZhTZwF7s/KspKXL9Pml8T8oesjJ4WrOwZKY MFd8G91yg2X7CN5T7ScXTMhg=
X-Received: line deleted by mout
Date: Wed, 26 Feb 2014 20:42:09 +0100
From: Andreas Schulze <>
To: Paul Wouters <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-GPG-Key-ID: 0xA7DBA67F
X-GPG-Fingerprint: 14C1 39A8 CE6D 6BE0 28C6 5652 03B5 6793 A7DB A67F
X-Location: Germany, Earth
User-Agent: mutt
Cc: dane WG list <>
Subject: Re: [dane] An AD bit discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Feb 2014 19:42:25 -0000

Paul Wouters:
> I'm currently aware of two (non-dns utilities) applications that make
> security decisions based on "blindly" trusting the AD bit: ssh with
> VerifyHostKeyDNS=yes|ask and Postfix.
opendkim could be linked with libunbound too to mark a dkim key fetched for validation as "secured" or "nonsecured"

> libreswan and strongswan are examples of applications that use libunbound
> for in-application DNSSEC validation to avoid needing to trust
> /etc/resolv.conf DNS servers for the AD bit.
opendkim too...
Upon validation DKIM public keys are fetched freom DNS and the validation result
is part of the Authentication-Results header. But there is no further policy decision made.

> 4 In the ideal world tomorrow, each host has its own automatically
>   configured, perfectly working validing DNS server and resolv.conf can
>   be ignored or is always hardcoded with nameserver
Oh, I'm near your ideal world since years :-)

$ cat /etc/resolv.conf 
nameserver ::1