Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 08 April 2014 17:49 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E851A0667 for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 10:49:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2K8yfSB5DPB for <dane@ietfa.amsl.com>; Tue, 8 Apr 2014 10:49:38 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9361A0488 for <dane@ietf.org>; Tue, 8 Apr 2014 10:49:38 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1A3FA2AABDF; Tue, 8 Apr 2014 17:49:37 +0000 (UTC)
Date: Tue, 08 Apr 2014 17:49:37 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140408174936.GL12559@mournblade.imrryr.org>
References: <533EB433.5060204@redhat.com> <0lha63rb6i.fsf@wjh.hardakers.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0lha63rb6i.fsf@wjh.hardakers.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/f7cllIUB4LV_dN0K_gtvAy-CMKA
Subject: Re: [dane] AD bit handling in stub-resolvers: conclusions and compromises
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 17:49:40 -0000
On Tue, Apr 08, 2014 at 10:19:33AM -0700, Wes Hardaker wrote: > Petr Spacek <pspacek@redhat.com> writes: > > > It seems that almost everyone agree that local validating resolver is the > > best option. > > I failed to pipe up before, unfortunately. > > But, no I don't agree that's the best solution. The reality is that in > some cases we're making *security decisions* based on the results of a > flag that we're not 100% sure of the source. Without doing something > like replacing the system library's notion of even looking at > resolv.conf and only looking for 127.0.0.1, then you can't be 100% sure > that the bit you get back is actually trustable. If the default install > of the OS does the right thing, who's to say it'll stay that way. This is where Wes and I part ways somewhat, but fortunately, this issue is not an impediment to the SMTP DANE draft. > As an application author who might want absolute assurance that DNSSEC > was done (because I'm bootstrapping TLS or SSH or ... off of it), then > my ideal situation is to have a local resolver for caching purposes, but > to actually do validation in-application. For me doing it in application, means costly integration of complex code into the application that will add considerable latency because the application will have a cold DNSSEC cache (and will now need a cache where one was not needed before... The Plan-9 approach of moving security features into system services is I think far preferable. The intersection of the position Wes takes and mine is some sort of 'assured' AD bit, which I am not opposed to in principle, provided this is in fact a reasonable plan of action. So for example, extending libresolv to match long-established BSD semantics to improve thread safety and provide more application control would suffice, res_ninit(), res_setservers(), ... plus ideally the ability to set the "AD" bit in the request (rather than "DO", reducing the quantity of unnecessary bloat in the reply). That way applications that want a local resolver can be configured to use one, and can make appropriate fallback decisions if one is not available. As for *censoring* the AD bit, that approach is likely more problematic and I think is where Paul Wouters and Petr part ways... So please make it possible in all the various DNS APIs (that don't already do this) for the stub resolver to override the default nameserver list (static or insecurely obtained from DHCP). Give the stub resolver more control over the "AD" and "DO" bits, and think long and hard about whether censoring is a viable approach it may well be a bad idea. -- Viktor.
- [dane] AD bit handling in stub-resolvers: conclus… Petr Spacek
- Re: [dane] AD bit handling in stub-resolvers: con… Wes Hardaker
- Re: [dane] AD bit handling in stub-resolvers: con… Viktor Dukhovni
- Re: [dane] AD bit handling in stub-resolvers: con… Mark Andrews
- Re: [dane] AD bit handling in stub-resolvers: con… Nico Williams
- Re: [dane] AD bit handling in stub-resolvers: con… Nico Williams
- Re: [dane] AD bit handling in stub-resolvers: con… Paul Wouters
- Re: [dane] AD bit handling in stub-resolvers: con… Paul Wouters