Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises

Nico Williams <nico@cryptonector.com> Wed, 09 April 2014 01:35 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62461A0005 for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 18:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.656
X-Spam-Level: *
X-Spam-Status: No, score=1.656 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyNP_6X43P-I for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 18:35:26 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 02CD51A0004 for <dane@ietf.org>; Tue, 8 Apr 2014 18:35:26 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTP id 8C54A21DE57 for <dane@ietf.org>; Tue, 8 Apr 2014 18:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=fk+U23GtHMXOH0EktsoE pNnViCk=; b=ii/1Apd+YdipynPuXCCFvOrx8fwNbteZPS7nFVilm7GKTbm/HOA7 PKrmQhLonCaN61Iz0QpSaHGmqXzHN7TuwT1x9SWUEPRf2ojcLXOt73V93nI1NzEk c+aVn5SbU2wJsg6WN8+zvKJo3l4PSXdO/OezHYWcAbdEWQJLyTRFr9Q=
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTPSA id 3E63221DE55 for <dane@ietf.org>; Tue, 8 Apr 2014 18:35:25 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id bs8so8774736wib.1 for <dane@ietf.org>; Tue, 08 Apr 2014 18:35:24 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.180.97.72 with SMTP id dy8mr7101065wib.5.1397007324008; Tue, 08 Apr 2014 18:35:24 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Tue, 8 Apr 2014 18:35:23 -0700 (PDT)
In-Reply-To: <533EB433.5060204@redhat.com>
References: <533EB433.5060204@redhat.com>
Date: Tue, 08 Apr 2014 20:35:23 -0500
Message-ID: <CAK3OfOhc0b6Rk+4kmt8cDUN07S7C4aqEU_f_GjmtQGsgqa8j7g@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Petr Spacek <pspacek@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/EGSFp15rkwlnzDDgLJQw9hG8Xtk
Cc: dane@ietf.org
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 01:35:29 -0000

On Fri, Apr 4, 2014 at 8:31 AM, Petr Spacek <pspacek@redhat.com> wrote:
> Hello,
>
> Let me sum up the discussion and document the compromise for archaeologists:

Thanks.

> Approach A
> ==========
> One approach is to do nothing in stub resolvers and rely on validating
> resolvers or application logic.
> This approach was mentioned by Paul Wouters <pwouters@redhat.com>, Prasad
> Pandit <ppandit@redhat.com>, Carlos O'Donell <carlos@redhat.com>, Olafur
> Gudmundsson <ogud@ogud.com>.

Also, Michael Richardson had some comments about uninformative
error/timeout handling when the application doesn't do its own DNSSEC
validation.

There are solutions to Michael's problem, such as running an in-app
resolver when the user wants detailed error information.

> It seems that the main concern about AD bit stripping in stub resolvers is
> compatibility with existing applications which rely on AD bit:

We should want fail-closed semantics.  I very much prefer having a
caching validating local server.  I don't mind making people (and
configuration apps) explicitly set a global in /etc/resolv.conf to
disable AD stripping.

I'd provide two settings, one to disable AD stripping IFF the only
nameserver is ::1, and another to disable AD stripping in all other
cases.

> After further discussion, it seems that pwouters is okay with AD bit
> stripping in stub resolver if it is explicitly requested by a calling
> application. (E.g. by special resolver initialization.)

Again, we need fail-closed semantics.

> Approach B
> ==========
> The other approach is to do AD bit stripping in stub resolvers by default.
> It was proposed to add system-wide setting for this (e.g. to resolv.conf)
> and default to "strip AD bit unless admin configured something else".
>
> This approach was mentioned by Petr Spacek <pspacek@redhat.com>, Simo Sorce
> <ssorce@redhat.com>, Viktor Dukhovni <viktor1dane@dukhovni.org>, Tony Finch
> <dot@dotat.at>, James Cloos <cloos@jhcloos.com>.
>
> Naturally, application has to be able to do run-time check that it is using
> a library with this new behavior to avoid running in unsafe environment.

This might be done at install time, or first-run time if we commit to
never removing this feature once it's added and/or if we provide an
interface for notifying applications of removal of this feature.  This
approach means not having to extend APIs.  However extending APIs is
probably OK enough I think, given that we have relatively few
DNSSEC-capable apps today.

> Next Steps
> ==========
> Define what is yet not defined:
> - System-wide configuration format (e.g. modify resolv.conf vs. add a new
> file)

The former.

> - Propose specific API changes for major DNS libraries (glibc, maybe ldns
> and co.)

See below.

> - Prepare recommendation for application developers how and when to use a
> new API

Sure.

> Further discussion about implementation details will happen on mailing lists
> related to the particular DNS libraries.

For the res_init() API it'd be nice to have an agreed-upon extension.
Where is that to be discussed, if at all?

Nico
--