Re: [dane] An AD bit discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 27 February 2014 04:42 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDC0B1A06B8 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 20:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28I-Ort3M_Qy for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 20:42:15 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id BC24A1A03F5 for <dane@ietf.org>; Wed, 26 Feb 2014 20:42:15 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EFBC22AAD0C; Thu, 27 Feb 2014 04:42:13 +0000 (UTC)
Date: Thu, 27 Feb 2014 04:42:13 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140227044213.GO21390@mournblade.imrryr.org>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <m3txbly9ui.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1402261930400.3528@bofh.nohats.ca> <20140227022347.GC73737@mx1.yitter.info> <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140227041753.3509810773A8@rock.dv.isc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/QH9ijhOOa2XBc65gYJ6X2P30ZLo
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 04:42:18 -0000

On Thu, Feb 27, 2014 at 03:17:53PM +1100, Mark Andrews wrote:

> I walk into a coffee shop.  I get a address.  I manage to get IPsec
> running between the server and myself because both ends are configured
> for opportunistic IPsec.  This does not mean I should trust the AD
> bit.

We are starting to veer off-track.  The original discussion is
about stub resolver policy choices, which I read to be broadly:

    - Sensible defaults absent any configuration to the contrary?

    - Where should non-default configuration be specified?

	* System configuration files?

	* Application?

	* Both?

    - What mechanisms are appropriate for stub-resolver users to
      express the application security requirements (AD only,
      AD + RRSIGs for in-application validation)?

It sounds like there is no strong objection to defaulting to no
trust.

Either there is a default white-list of trusted nameservers (127.1,
::1) or the administrator has to explicitly bless the full list in
/etc/resolv.conf.  I've not heard many clear preferences from others
in one direction or the other.  I personally, prefer a global "trust
the nameserver list" predicate over a white-list.

I am hoping that folks here agree that generally the person or
program that writes /etc/resolv.conf is in a better position to
set the default policy than most applications, and so the stub
resolver should takes its cues from /etc/resolv.conf first.

Naturally, given appropriate APIs, applications may be able to
override this.  Thus an application that sets the nameserver
list explicitly and then asks for the AD bit, should reasonably
expect that its chosen list will not be second-guessed by the
stub resolver library.

Beyond that are API design issues, for specifying the application's
desire for AD only, AD + RRSIGs.  It would be best in libresolv to
include support for res_ninit(), res_nsearch(), res_setservers()
and so on.  Support for "getdns" would be nice if deemed ready to
be a libresolv replacement or alternative.

So likely RedHat should proceed with extensions to resolv.conf to
express the trust status of the nameserver list, and improvements
to libresolv.  The default stub-resolver policy can reasonably be
non-trust of all nameservers (typically from DHCP).

Applications should be aware that mixing DNSSEC with RES_DNSRCH is
likely non-deterministic and unsafe.  While RES_DEFNAMES may be
less problematic, it still should be avoided.  Applications that
need to process the security status of particular RRsets, should
be particular about those RRsets and specify then precisely.  It
may be more prudent to use res_[n]query() rather than res_search().

-- 
	Viktor.