Re: [dane] An AD bit discussion

Mark Andrews <> Thu, 27 February 2014 04:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 733221A0380 for <>; Wed, 26 Feb 2014 20:18:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JejT4NymsVVp for <>; Wed, 26 Feb 2014 20:18:12 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) by (Postfix) with ESMTP id EA2E11A03D6 for <>; Wed, 26 Feb 2014 20:18:11 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id CFEC7C9424; Thu, 27 Feb 2014 04:17:56 +0000 (UTC) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim2012; t=1393474690; bh=s/Ytzbz/3um78Dxxx4SjzCTA9WZPCb5EQW6bXNpBdYU=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=BC1d/xwp/sZD6CIFYLyfK0A+JBlHnt3WC+LUfk4ekLTYX92IK10ZvrWP062fvY0OV sxVD8fv5fZ5eKDkLJelupoJviAjoWPH+uwgbjq6sF27esgpBxkL/PUts4BevbbgZtf 3EJU0OvXHhT+w5megFBKtKVphskBe9/YOnwCyJZQ=
Received: from ( []) by (Postfix) with ESMTP; Thu, 27 Feb 2014 04:17:56 +0000 (UTC) (envelope-from
Received: from (localhost []) by (Postfix) with ESMTP id 8A5AE16004C; Thu, 27 Feb 2014 04:18:49 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id 5ACAF16004A; Thu, 27 Feb 2014 04:18:48 +0000 (UTC)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 3509810773A8; Thu, 27 Feb 2014 15:17:53 +1100 (EST)
To: Andrew Sullivan <>
From: Mark Andrews <>
References: <> <> <> <> <> <>
In-reply-to: Your message of "Wed, 26 Feb 2014 22:47:23 -0500." <>
Date: Thu, 27 Feb 2014 15:17:53 +1100
Message-Id: <>
X-DCC--Metrics:; whitelist
Subject: Re: [dane] An AD bit discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Feb 2014 04:18:13 -0000

In message <>fo>, Andrew Sullivan writes:
> Hi,
> On Thu, Feb 27, 2014 at 02:16:28PM +1100, Mark Andrews wrote:
> > Blindly trusting AD from anything other than / ::1 is
> > asking for trouble even if IPsec is being used.  The problem is
> > that you still need to trust the server and anything over the net
> > should be untrusted by default.
> While I'm pleased as ever to know your personal preferences in this
> matter, what I was asking was for information about what Microsoft is
> actually shipping, and you seem not to have replied to that question
> at all.  But I am not sure about your assertion about "should" above,
> in at least some scenarios: I think that's exactly what we're
> discussing, so you can't just say that one of the possibilities is the
> right answer (that would be circular).
> As I understood the deployment model implicit in what Microsoft
> shipped (at least in the past), you were not "blindly" trusting the
> server, but trusting the server that gave you your IP address, your
> definition within the local SMB domain, and so on.  In other words,
> _not_ trusting the server in question is functionally equivalent to
> "doesn't work", so the threat model you have in the above is
> completely misaligned with the deployment scenario that I think was
> implicit in the product Microsoft shipped.  This is the reason for the
> reliance on IPSec.  I believe that that product was entirely
> consistent with the DNSSEC specifications (though it might be subject
> to certain kinds of attacks if the attacker can take over the relevant
> server).

Just because a server gave you IP addresses doesn't make it trust
worthy for DNSSEC.

Just because a server gave you credentials which allow you to
register is AD doesn't make it trust worthy for DNSSEC.

You can trust something for A but not B.  Now you can tell a machine
if you get A you should also trust it for B but one should be very
careful about it.

As for not working, if you don't trust the AD bit you are left with
the status quo, which isn't everything is not working.

I walk into a coffee shop.  I get a address.  I manage to get IPsec
running between the server and myself because both ends are configured
for opportunistic IPsec.  This does not mean I should trust the AD

> I think that it is quite similar to the issue that Paul was raising
> with his "virtual servers" scenario.  In some virtualized environment,
> if you can't trust other systems that share the same physical hardware
> as you, you're hosed anyway.  Additional protection is going to get
> you nothing, and in that case as Paul was arguing it's better to have
> the default provide more rather than less protection, even if that
> "protection" is completely bogus under some other scenarios.
> Best regards,
> A
> -- 
> Andrew Sullivan
> _______________________________________________
> dane mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: