Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises

Nico Williams <> Wed, 09 April 2014 01:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A62461A0005 for <>; Tue, 8 Apr 2014 18:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.656
X-Spam-Level: *
X-Spam-Status: No, score=1.656 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uyNP_6X43P-I for <>; Tue, 8 Apr 2014 18:35:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 02CD51A0004 for <>; Tue, 8 Apr 2014 18:35:26 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 8C54A21DE57 for <>; Tue, 8 Apr 2014 18:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=fk+U23GtHMXOH0EktsoE pNnViCk=; b=ii/1Apd+YdipynPuXCCFvOrx8fwNbteZPS7nFVilm7GKTbm/HOA7 PKrmQhLonCaN61Iz0QpSaHGmqXzHN7TuwT1x9SWUEPRf2ojcLXOt73V93nI1NzEk c+aVn5SbU2wJsg6WN8+zvKJo3l4PSXdO/OezHYWcAbdEWQJLyTRFr9Q=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 3E63221DE55 for <>; Tue, 8 Apr 2014 18:35:25 -0700 (PDT)
Received: by with SMTP id bs8so8774736wib.1 for <>; Tue, 08 Apr 2014 18:35:24 -0700 (PDT)
MIME-Version: 1.0
X-Received: by with SMTP id dy8mr7101065wib.5.1397007324008; Tue, 08 Apr 2014 18:35:24 -0700 (PDT)
Received: by with HTTP; Tue, 8 Apr 2014 18:35:23 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Tue, 08 Apr 2014 20:35:23 -0500
Message-ID: <>
From: Nico Williams <>
To: Petr Spacek <>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Apr 2014 01:35:29 -0000

On Fri, Apr 4, 2014 at 8:31 AM, Petr Spacek <> wrote:
> Hello,
> Let me sum up the discussion and document the compromise for archaeologists:


> Approach A
> ==========
> One approach is to do nothing in stub resolvers and rely on validating
> resolvers or application logic.
> This approach was mentioned by Paul Wouters <>, Prasad
> Pandit <>, Carlos O'Donell <>, Olafur
> Gudmundsson <>.

Also, Michael Richardson had some comments about uninformative
error/timeout handling when the application doesn't do its own DNSSEC

There are solutions to Michael's problem, such as running an in-app
resolver when the user wants detailed error information.

> It seems that the main concern about AD bit stripping in stub resolvers is
> compatibility with existing applications which rely on AD bit:

We should want fail-closed semantics.  I very much prefer having a
caching validating local server.  I don't mind making people (and
configuration apps) explicitly set a global in /etc/resolv.conf to
disable AD stripping.

I'd provide two settings, one to disable AD stripping IFF the only
nameserver is ::1, and another to disable AD stripping in all other

> After further discussion, it seems that pwouters is okay with AD bit
> stripping in stub resolver if it is explicitly requested by a calling
> application. (E.g. by special resolver initialization.)

Again, we need fail-closed semantics.

> Approach B
> ==========
> The other approach is to do AD bit stripping in stub resolvers by default.
> It was proposed to add system-wide setting for this (e.g. to resolv.conf)
> and default to "strip AD bit unless admin configured something else".
> This approach was mentioned by Petr Spacek <>, Simo Sorce
> <>, Viktor Dukhovni <>, Tony Finch
> <>, James Cloos <>.
> Naturally, application has to be able to do run-time check that it is using
> a library with this new behavior to avoid running in unsafe environment.

This might be done at install time, or first-run time if we commit to
never removing this feature once it's added and/or if we provide an
interface for notifying applications of removal of this feature.  This
approach means not having to extend APIs.  However extending APIs is
probably OK enough I think, given that we have relatively few
DNSSEC-capable apps today.

> Next Steps
> ==========
> Define what is yet not defined:
> - System-wide configuration format (e.g. modify resolv.conf vs. add a new
> file)

The former.

> - Propose specific API changes for major DNS libraries (glibc, maybe ldns
> and co.)

See below.

> - Prepare recommendation for application developers how and when to use a
> new API


> Further discussion about implementation details will happen on mailing lists
> related to the particular DNS libraries.

For the res_init() API it'd be nice to have an agreed-upon extension.
Where is that to be discussed, if at all?