Re: [dane] An AD bit discussion
"Wiley, Glen" <gwiley@verisign.com> Wed, 26 February 2014 19:10 UTC
Return-Path: <gwiley@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 912441A0813 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:10:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyWMNoZzzeaH for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:10:12 -0800 (PST)
Received: from exprod6og111.obsmtp.com (exprod6og111.obsmtp.com [64.18.1.27]) by ietfa.amsl.com (Postfix) with ESMTP id 517921A0726 for <dane@ietf.org>; Wed, 26 Feb 2014 11:10:00 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKUw48B+7kn1CNfdXgyTu9+/DOT4Bp6E+G@postini.com; Wed, 26 Feb 2014 11:09:59 PST
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s1QJ9wNw018442 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Wed, 26 Feb 2014 14:09:58 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0123.003; Wed, 26 Feb 2014 14:09:58 -0500
From: "Wiley, Glen" <gwiley@verisign.com>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] An AD bit discussion
Thread-Index: AQHPMxefb3KO91hA20Sgmp6++Nrbq5rIIDMAgAAKhYCAAALmAP//uN4A
Date: Wed, 26 Feb 2014 19:09:57 +0000
Message-ID: <CF33A546.35B3F%gwiley@verisign.com>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <alpine.LSU.2.00.1402261638490.13302@hermes-1.csi.cam.ac.uk> <20140226173630.GZ21390@mournblade.imrryr.org> <alpine.LSU.2.00.1402261809330.18502@hermes-1.csi.cam.ac.uk> <20140226182432.GB21390@mournblade.imrryr.org>
In-Reply-To: <20140226182432.GB21390@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D57A824E12B35746B49112710BE3D06C@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/uUhckQFh9FhQvzYN_lsLLGERqW0
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 19:10:17 -0000
Viktor, Your mention of the getdns api is apropos since we just announced the beat release of our implementation :) An application using the getdns api can decide how it will take advantage of the system files - for example whether it wants to use a search option which is an improvement over the current approach in which applications are not aware of whether a suffix was appended to a query. I would add however that the same root operator that might add a suffix to resolv.conf could do other nefarious things to resolvers on that host since the root operator has significant opportunities for MITM attacks on applications running on that host. I think the specification takes the most reasonable approach by deferring to the application to decide the extent to which it will respect system-wide settings (even including trust anchors). -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. On 2/26/14 1:24 PM, "Viktor Dukhovni" <viktor1dane@dukhovni.org> wrote: >On Wed, Feb 26, 2014 at 06:14:09PM +0000, Tony Finch wrote: > >> > As for setting the "AD" bit in the request automatically, it probably >> > should still require an explicit indication of interest from the >> > application or be set via a default option value /etc/resolv.conf. >> >> Perhaps, though I think the AD flag is pretty benign. > >I think it requires EDNS0, but if that is already set, perhaps >turning on AD by default is harmless. This specific detail is >perhaps more of a "dnsop" than "dane" question. > >By the way I just noticed that http://www.vpnc.org/getdns-api/ >does not define the interaction of DNSSEC with: > > getdns_return_t getdns_context_set_append_name( > getdns_context *context, > getdns_append_name_t value ); > > Specifies whether to append a suffix to the query string before > the API starts resolving a name. The value is > > GETDNS_APPEND_NAME_ALWAYS, > GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE, > GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE, or > GETDNS_APPEND_NAME_NEVER. > > This controls whether or not to append the suffix given by > getdns_context_set_suffix > >Name appending breaks DNSSEC when any of the resulting zones are >insecure and are tried before ultimately secure zones. The validity >of a request for a secure response for an under-specified query is >IMHO questionable. > >-- > Viktor. > >_______________________________________________ >dane mailing list >dane@ietf.org >https://www.ietf.org/mailman/listinfo/dane
- Re: [dane] An AD bit discussion Paul Wouters
- [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Ondřej Surý
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Olafur Gudmundsson
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Wiley, Glen
- Re: [dane] An AD bit discussion James Cloos
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andreas Schulze
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion (correction) Petr Spacek
- Re: [dane] An AD bit discussion (+concerns from g… Petr Spacek
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion (+concerns from g… Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- [dane] Proposal: AD bit handling in stub-resolver… Petr Spacek
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] Proposal: AD bit handling in stub-reso… Viktor Dukhovni
- Re: [dane] An AD bit discussion Florian Weimer
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek