IETF Logo Mail Archive

Re: [dane] An AD bit discussion

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 27 February 2014 18:16 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6CD81A0309 for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 10:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WnGO3XGmajox for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 10:16:46 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id E48E31A0163 for <dane@ietf.org>; Thu, 27 Feb 2014 10:16:45 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 052022AAC73; Thu, 27 Feb 2014 18:16:44 +0000 (UTC)
Date: Thu, 27 Feb 2014 18:16:43 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140227181643.GV21390@mournblade.imrryr.org>
References: <alpine.LFD.2.10.1402261930400.3528@bofh.nohats.ca> <20140227022347.GC73737@mx1.yitter.info> <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org> <20140227044213.GO21390@mournblade.imrryr.org> <alpine.LFD.2.10.1402270015320.6180@bofh.nohats.ca> <20140227054617.GP21390@mournblade.imrryr.org> <530F3A64.2000001@redhat.com> <alpine.LFD.2.10.1402271144500.24957@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1402271144500.24957@bofh.nohats.ca>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/iUA6jsGklkJaApmrK5c8zlplHHE
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 18:16:48 -0000

On Thu, Feb 27, 2014 at 12:01:44PM -0500, Paul Wouters wrote:
> On Thu, 27 Feb 2014, Petr Spacek wrote:
> 
> >Now we need to discuss 'a temporary solution' for the case where a
> >validating resolver is not available for whatever reason.
> 
> I don't agree with this premise, but those applications can be changed
> to use (most error handling removed for clarity):

Can *in principle* be changed, but in practice this is often
unlikely.  Postfix works well enough with libresolv, and supports
many older platforms.  Moving to libunbound, which is not as widely
deployed is not worth the benefit.

The base libresolv library should be enhanced to at least catch up
with BSD-like systems and offer res_ninit(), res_nsearch(), ...
Beyond that it would be good to be able to tell libresolv:

    * I want AD without RRSIG

and to ask libresolv:

    - Do you trust the AD bit from your nameservers?

with that and an appropriate administrator-settable predicate in
resolv.conf we're largely set.  Applications which call res_setservers()
should automatically receive AD=1.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email