Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
Nico Williams <nico@cryptonector.com> Wed, 09 April 2014 01:35 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62461A0005 for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 18:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.656
X-Spam-Level: *
X-Spam-Status: No, score=1.656 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyNP_6X43P-I for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 18:35:26 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 02CD51A0004 for <dane@ietf.org>; Tue, 8 Apr 2014 18:35:26 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTP id 8C54A21DE57 for <dane@ietf.org>; Tue, 8 Apr 2014 18:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=fk+U23GtHMXOH0EktsoE pNnViCk=; b=ii/1Apd+YdipynPuXCCFvOrx8fwNbteZPS7nFVilm7GKTbm/HOA7 PKrmQhLonCaN61Iz0QpSaHGmqXzHN7TuwT1x9SWUEPRf2ojcLXOt73V93nI1NzEk c+aVn5SbU2wJsg6WN8+zvKJo3l4PSXdO/OezHYWcAbdEWQJLyTRFr9Q=
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTPSA id 3E63221DE55 for <dane@ietf.org>; Tue, 8 Apr 2014 18:35:25 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id bs8so8774736wib.1 for <dane@ietf.org>; Tue, 08 Apr 2014 18:35:24 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.97.72 with SMTP id dy8mr7101065wib.5.1397007324008; Tue, 08 Apr 2014 18:35:24 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Tue, 8 Apr 2014 18:35:23 -0700 (PDT)
In-Reply-To: <533EB433.5060204@redhat.com>
References: <533EB433.5060204@redhat.com>
Date: Tue, 08 Apr 2014 20:35:23 -0500
Message-ID: <CAK3OfOhc0b6Rk+4kmt8cDUN07S7C4aqEU_f_GjmtQGsgqa8j7g@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Petr Spacek <pspacek@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/EGSFp15rkwlnzDDgLJQw9hG8Xtk
Cc: dane@ietf.org
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 01:35:29 -0000
On Fri, Apr 4, 2014 at 8:31 AM, Petr Spacek <pspacek@redhat.com> wrote: > Hello, > > Let me sum up the discussion and document the compromise for archaeologists: Thanks. > Approach A > ========== > One approach is to do nothing in stub resolvers and rely on validating > resolvers or application logic. > This approach was mentioned by Paul Wouters <pwouters@redhat.com>, Prasad > Pandit <ppandit@redhat.com>, Carlos O'Donell <carlos@redhat.com>, Olafur > Gudmundsson <ogud@ogud.com>. Also, Michael Richardson had some comments about uninformative error/timeout handling when the application doesn't do its own DNSSEC validation. There are solutions to Michael's problem, such as running an in-app resolver when the user wants detailed error information. > It seems that the main concern about AD bit stripping in stub resolvers is > compatibility with existing applications which rely on AD bit: We should want fail-closed semantics. I very much prefer having a caching validating local server. I don't mind making people (and configuration apps) explicitly set a global in /etc/resolv.conf to disable AD stripping. I'd provide two settings, one to disable AD stripping IFF the only nameserver is ::1, and another to disable AD stripping in all other cases. > After further discussion, it seems that pwouters is okay with AD bit > stripping in stub resolver if it is explicitly requested by a calling > application. (E.g. by special resolver initialization.) Again, we need fail-closed semantics. > Approach B > ========== > The other approach is to do AD bit stripping in stub resolvers by default. > It was proposed to add system-wide setting for this (e.g. to resolv.conf) > and default to "strip AD bit unless admin configured something else". > > This approach was mentioned by Petr Spacek <pspacek@redhat.com>, Simo Sorce > <ssorce@redhat.com>, Viktor Dukhovni <viktor1dane@dukhovni.org>, Tony Finch > <dot@dotat.at>, James Cloos <cloos@jhcloos.com>. > > Naturally, application has to be able to do run-time check that it is using > a library with this new behavior to avoid running in unsafe environment. This might be done at install time, or first-run time if we commit to never removing this feature once it's added and/or if we provide an interface for notifying applications of removal of this feature. This approach means not having to extend APIs. However extending APIs is probably OK enough I think, given that we have relatively few DNSSEC-capable apps today. > Next Steps > ========== > Define what is yet not defined: > - System-wide configuration format (e.g. modify resolv.conf vs. add a new > file) The former. > - Propose specific API changes for major DNS libraries (glibc, maybe ldns > and co.) See below. > - Prepare recommendation for application developers how and when to use a > new API Sure. > Further discussion about implementation details will happen on mailing lists > related to the particular DNS libraries. For the res_init() API it'd be nice to have an agreed-upon extension. Where is that to be discussed, if at all? Nico --
- [dane] AD bit handling in stub-resolvers: conclus… Petr Spacek
- Re: [dane] AD bit handling in stub-resolvers: con… Wes Hardaker
- Re: [dane] AD bit handling in stub-resolvers: con… Viktor Dukhovni
- Re: [dane] AD bit handling in stub-resolvers: con… Mark Andrews
- Re: [dane] AD bit handling in stub-resolvers: con… Nico Williams
- Re: [dane] AD bit handling in stub-resolvers: con… Nico Williams
- Re: [dane] AD bit handling in stub-resolvers: con… Paul Wouters
- Re: [dane] AD bit handling in stub-resolvers: con… Paul Wouters