Re: [dane] An AD bit discussion

Viktor Dukhovni <> Thu, 27 February 2014 05:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 97BBA1A0409 for <>; Wed, 26 Feb 2014 21:46:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VcTG1PmZHoIY for <>; Wed, 26 Feb 2014 21:46:19 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DA3D51A01B3 for <>; Wed, 26 Feb 2014 21:46:18 -0800 (PST)
Received: by (Postfix, from userid 1034) id 27FFB2AAD0C; Thu, 27 Feb 2014 05:46:17 +0000 (UTC)
Date: Thu, 27 Feb 2014 05:46:17 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] An AD bit discussion
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Feb 2014 05:46:20 -0000

On Thu, Feb 27, 2014 at 12:29:57AM -0500, Paul Wouters wrote:

> >So likely RedHat should proceed with extensions to resolv.conf to
> >express the trust status of the nameserver list, and improvements
> >to libresolv.  The default stub-resolver policy can reasonably be
> >non-trust of all nameservers (typically from DHCP).
> But it is so much better for all server installs to just install a
> validating resolver, point resolv.conf to localhost, and use the DHCP
> obtained DNS servers (or admin configured DNS servers) as forwarders.
> Then all applications can trust the AD bit. That's a simply a reality
> that's possible today. Even upgrading machines to this is not that hard.

Yes, up-thread, this my ideal future world too.

> That's why I'm not really in favour of adding legacy to glibc or
> resolv.conf. Especially because there are also so few applications that
> actually do anything with AD bits, plus we are still working on API and
> DNSOP documents on how to improve/secure the DNS transport for talking
> to remote servers.

But what to do when things are not ideal, perhaps because someone
disagrees with our ideal.  How do we let them assert that AD should
be trusted?

One could always trust AD, and leave up to the platform vendor and
system administrator to make it so.  Or one could default to not
trust AD unless resolv.conf says so, and the out-of-the-box
"experience" could be made to include a 127.1 nameserver and the
the right new predicate in /etc/resolv.conf, and glue to have DHCP
tweak forwarders (subject to relevant DHCP configuration) rather
than mess with resolv.conf (much better for reasons beyond DNSSEC

Then it is up to adventurous administrators to mess this up.  Some
will want to bless "remote" resolvers, that we might not want
to bless by default.

As to the question of whether always trusting AD when the recursive
resolvers are not "secure" is OK?  I don't know.  Depends what
applications do with that trust.

For Postfix with "smtp_tls_security_level = dane", the worst thing
that happens is misleading logs that claim more security than you
got.  Postfix also has a "dane-only" security level, for folks who
want stronger security to designated destinations.  In this case
trusting an "insecure" AD bit is not so good.

This said, the Postfix administrator is assumed to be involved in
administration of the platform it runs on (needs root for various
Postfix activities anyway).  So Postfix always trusts AD, and
documents that it is the administrators job to ensure that this is

Can you take the same view across all future applications?  Or is
more caution warranted?  I'm reluctant to claim that good enough
for Postfix, is good enough for everything...