Re: [dane] An AD bit discussion

"Wiley, Glen" <gwiley@verisign.com> Wed, 26 February 2014 19:10 UTC

Return-Path: <gwiley@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912441A0813 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:10:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyWMNoZzzeaH for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:10:12 -0800 (PST)
Received: from exprod6og111.obsmtp.com (exprod6og111.obsmtp.com [64.18.1.27]) by ietfa.amsl.com (Postfix) with ESMTP id 517921A0726 for <dane@ietf.org>; Wed, 26 Feb 2014 11:10:00 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKUw48B+7kn1CNfdXgyTu9+/DOT4Bp6E+G@postini.com; Wed, 26 Feb 2014 11:09:59 PST
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s1QJ9wNw018442 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Wed, 26 Feb 2014 14:09:58 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0123.003; Wed, 26 Feb 2014 14:09:58 -0500
From: "Wiley, Glen" <gwiley@verisign.com>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] An AD bit discussion
Thread-Index: AQHPMxefb3KO91hA20Sgmp6++Nrbq5rIIDMAgAAKhYCAAALmAP//uN4A
Date: Wed, 26 Feb 2014 19:09:57 +0000
Message-ID: <CF33A546.35B3F%gwiley@verisign.com>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <alpine.LSU.2.00.1402261638490.13302@hermes-1.csi.cam.ac.uk> <20140226173630.GZ21390@mournblade.imrryr.org> <alpine.LSU.2.00.1402261809330.18502@hermes-1.csi.cam.ac.uk> <20140226182432.GB21390@mournblade.imrryr.org>
In-Reply-To: <20140226182432.GB21390@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D57A824E12B35746B49112710BE3D06C@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/uUhckQFh9FhQvzYN_lsLLGERqW0
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 19:10:17 -0000

Viktor,

Your mention of the getdns api is apropos since we just announced the beat
release of our implementation :)

An application using the getdns api can decide how it will take advantage
of the system files - for example whether it wants to use a search option
which is an improvement over the current approach in which applications
are not aware of whether a suffix was appended to a query.

I would add however that the same root operator that might add a suffix to
resolv.conf could do other nefarious things to resolvers on that host
since the root operator has significant opportunities for MITM attacks on
applications running on that host.

I think the specification takes the most reasonable approach by deferring
to the application to decide the extent to which it will respect
system-wide settings (even including trust anchors).
-- 
Glen Wiley
KK4SFV

Sr. Engineer
The Hive, Verisign, Inc.




On 2/26/14 1:24 PM, "Viktor Dukhovni" <viktor1dane@dukhovni.org>; wrote:

>On Wed, Feb 26, 2014 at 06:14:09PM +0000, Tony Finch wrote:
>
>> > As for setting the "AD" bit in the request automatically, it probably
>> > should still require an explicit indication of interest from the
>> > application or be set via a default option value /etc/resolv.conf.
>> 
>> Perhaps, though I think the AD flag is pretty benign.
>
>I think it requires EDNS0, but if that is already set, perhaps
>turning on AD by default is harmless.  This specific detail is
>perhaps more of a "dnsop" than "dane" question.
>
>By the way I just noticed that http://www.vpnc.org/getdns-api/
>does not define the interaction of DNSSEC with:
>
>    getdns_return_t getdns_context_set_append_name(
>	getdns_context *context,
>	getdns_append_name_t value );
>
>    Specifies whether to append a suffix to the query string before
>    the API starts resolving a name. The value is
>
>	GETDNS_APPEND_NAME_ALWAYS,
>	GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE,
>	GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE, or
>	GETDNS_APPEND_NAME_NEVER.
>
>    This controls whether or not to append the suffix given by
>    getdns_context_set_suffix
>
>Name appending breaks DNSSEC when any of the resulting zones are
>insecure and are tried before ultimately secure zones.  The validity
>of a request for a secure response for an under-specified query is
>IMHO questionable.
>
>-- 
>	Viktor.
>
>_______________________________________________
>dane mailing list
>dane@ietf.org
>https://www.ietf.org/mailman/listinfo/dane