Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises

Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 08 April 2014 17:49 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E851A0667 for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 10:49:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2K8yfSB5DPB for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 10:49:38 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9361A0488 for <dane@ietf.org>; Tue, 8 Apr 2014 10:49:38 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1A3FA2AABDF; Tue, 8 Apr 2014 17:49:37 +0000 (UTC)
Date: Tue, 8 Apr 2014 17:49:37 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140408174936.GL12559@mournblade.imrryr.org>
References: <533EB433.5060204@redhat.com> <0lha63rb6i.fsf@wjh.hardakers.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0lha63rb6i.fsf@wjh.hardakers.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/f7cllIUB4LV_dN0K_gtvAy-CMKA
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 17:49:40 -0000

On Tue, Apr 08, 2014 at 10:19:33AM -0700, Wes Hardaker wrote:

> Petr Spacek <pspacek@redhat.com>; writes:
> 
> > It seems that almost everyone agree that local validating resolver is the
> > best option.
> 
> I failed to pipe up before, unfortunately.
> 
> But, no I don't agree that's the best solution.  The reality is that in
> some cases we're making *security decisions* based on the results of a
> flag that we're not 100% sure of the source.  Without doing something
> like replacing the system library's notion of even looking at
> resolv.conf and only looking for 127.0.0.1, then you can't be 100% sure
> that the bit you get back is actually trustable.  If the default install
> of the OS does the right thing, who's to say it'll stay that way.

This is where Wes and I part ways somewhat, but fortunately, this
issue is not an impediment to the SMTP DANE draft.

> As an application author who might want absolute assurance that DNSSEC
> was done (because I'm bootstrapping TLS or SSH or ... off of it), then
> my ideal situation is to have a local resolver for caching purposes, but
> to actually do validation in-application.

For me doing it in application, means costly integration of complex
code into the application that will add considerable latency because
the application will have a cold DNSSEC cache (and will now need
a cache where one was not needed before...  The Plan-9 approach of
moving security features into system services is I think far
preferable.

The intersection of the position Wes takes and mine is some sort
of 'assured' AD bit, which I am not opposed to in principle, provided
this is in fact a reasonable plan of action.

So for example, extending libresolv to match long-established BSD
semantics to improve thread safety and provide more application
control would suffice, res_ninit(), res_setservers(), ...  plus
ideally the ability to set the "AD" bit in the request (rather than
"DO", reducing the quantity of unnecessary bloat in the reply).

That way applications that want a local resolver can be configured
to use one, and can make appropriate fallback decisions if one is
not available.

As for *censoring* the AD bit, that approach is likely more
problematic and I think is where Paul Wouters and Petr part ways...

So please make it possible in all the various DNS APIs (that don't
already do this) for the stub resolver to override the default
nameserver list (static or insecurely obtained from DHCP).  Give
the stub resolver more control over the "AD" and "DO" bits, and
think long and hard about whether censoring is a viable approach
it may well be a bad idea.

-- 
	Viktor.