Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises

Wes Hardaker <> Tue, 08 April 2014 17:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5E5391A065D for <>; Tue, 8 Apr 2014 10:19:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.172
X-Spam-Status: No, score=-0.172 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EYoRh8oFcygy for <>; Tue, 8 Apr 2014 10:19:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7E4CE1A065B for <>; Tue, 8 Apr 2014 10:19:33 -0700 (PDT)
Received: from localhost ( []) by (Postfix) with ESMTPSA id 6D2642206E; Tue, 8 Apr 2014 10:19:33 -0700 (PDT)
From: Wes Hardaker <>
To: Petr Spacek <>
References: <>
Date: Tue, 08 Apr 2014 10:19:33 -0700
In-Reply-To: <> (Petr Spacek's message of "Fri, 04 Apr 2014 15:31:31 +0200")
Message-ID: <>
User-Agent: Gnus/5.13001 (Ma Gnus v0.10) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Apr 2014 17:19:36 -0000

Petr Spacek <> writes:

> It seems that almost everyone agree that local validating resolver is the
> best option.

I failed to pipe up before, unfortunately.

But, no I don't agree that's the best solution.  The reality is that in
some cases we're making *security decisions* based on the results of a
flag that we're not 100% sure of the source.  Without doing something
like replacing the system library's notion of even looking at
resolv.conf and only looking for, then you can't be 100% sure
that the bit you get back is actually trustable.  If the default install
of the OS does the right thing, who's to say it'll stay that way.

As an application author who might want absolute assurance that DNSSEC
was done (because I'm bootstrapping TLS or SSH or ... off of it), then
my ideal situation is to have a local resolver for caching purposes, but
to actually do validation in-application.

Wes Hardaker