Re: [dane] An AD bit discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 26 February 2014 19:12 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAF7D1A0118 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:12:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88xIO5oFa_eG for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:12:08 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 334DD1A01DD for <dane@ietf.org>; Wed, 26 Feb 2014 11:11:46 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B1B4A2AAD0C; Wed, 26 Feb 2014 19:11:44 +0000 (UTC)
Date: Wed, 26 Feb 2014 19:11:44 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140226191144.GC21390@mournblade.imrryr.org>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <alpine.LSU.2.00.1402261638490.13302@hermes-1.csi.cam.ac.uk> <20140226173630.GZ21390@mournblade.imrryr.org> <alpine.LSU.2.00.1402261809330.18502@hermes-1.csi.cam.ac.uk> <20140226182432.GB21390@mournblade.imrryr.org> <alpine.LSU.2.00.1402261842130.13302@hermes-1.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1402261842130.13302@hermes-1.csi.cam.ac.uk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/VF1rum9jkSqXv73cZbCjl0RaDiw
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 19:12:12 -0000

On Wed, Feb 26, 2014 at 07:02:45PM +0000, Tony Finch wrote:

> Viktor Dukhovni <viktor1dane@dukhovni.org>; wrote:
>
> > I think it requires EDNS0,
> 
> The AD bit is in the message header not the OPT pseudo-RR, so
> syntactically it doesn't require EDNS0. BIND works OK (try
> dig +qr +noedns). However the spec is silent on this matter.
> http://tools.ietf.org/html/rfc6840#page-10
> Also I think it is arguable that RFC 4035 says servers should set the
> AD flag in the response regardless of whether the client indicates
> it is security-aware. But implementations do not do that.

You're right about the AD bit of course,  I was thinking of "DO".
Below setting either "AD=1" or "DO=1" elicits a validated response
from unbound, but with "DO=1" additional RRSIG records are returned.
The libresolv API does not currently expose a portable mechanism
for setting AD=1 in requests.

    $ dig +noall +comment +answer +noedns +adflag -t mx debian.org
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28554
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6

    ;; ANSWER SECTION:
    debian.org.             3567    IN      MX      0 mailly.debian.org.
    debian.org.             3567    IN      MX      0 muffat.debian.org.

    $ dig +noall +comment +answer +dnssec -t mx debian.org
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15599
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 6, ADDITIONAL: 19

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; ANSWER SECTION:
    debian.org.             3552    IN      MX      0 mailly.debian.org.
    debian.org.             3552    IN      MX      0 muffat.debian.org.
    debian.org.             3552    IN      RRSIG   MX 7 2 ...
    debian.org.             3552    IN      RRSIG   MX 8 2 ...

-- 
	Viktor.