Re: [dane] An AD bit discussion

Paul Wouters <paul@nohats.ca> Thu, 27 February 2014 17:01 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45C01A0353 for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 09:01:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.547
X-Spam-Level:
X-Spam-Status: No, score=-2.547 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kOv-YTYNd7s for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 09:01:47 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 818D21A034A for <dane@ietf.org>; Thu, 27 Feb 2014 09:01:47 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D87FE80DA8; Thu, 27 Feb 2014 12:01:44 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1393520504; bh=au83m/zYDQiC0JcJicz1gOi9piA7RjHFrnu+83m9BsA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=EUhe58MwZFfO2wt46+9F4XoCKLOsi/JcsXRW0QmsY+YzgPH1uBQ8aNtnt0hD+LZ/o c/Bw1pkCSjHQ05hHoiML09xSkQqi5M2Tr8KUD4aiYzBzgFsFyDL35patTkWRS+8UUM OLyU+eTZW+q8LYfjBkYyUKbI9YgtozsxdWf+cQA4=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s1RH1i0C024558; Thu, 27 Feb 2014 12:01:44 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Thu, 27 Feb 2014 12:01:44 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Petr Spacek <pspacek@redhat.com>
In-Reply-To: <530F3A64.2000001@redhat.com>
Message-ID: <alpine.LFD.2.10.1402271144500.24957@bofh.nohats.ca>
References: <alpine.LFD.2.10.1402260845520.3528@bofh.nohats.ca> <m3txbly9ui.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1402261930400.3528@bofh.nohats.ca> <20140227022347.GC73737@mx1.yitter.info> <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org> <20140227044213.GO21390@mournblade.imrryr.org> <alpine.LFD.2.10.1402270015320.6180@bofh.nohats.ca> <20140227054617.GP21390@mournblade.imrryr.org> <530F3A64.2000001@redhat.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/yo4LEN-xTo7ZxbKBT08ae5juh88
Cc: dane@ietf.org
Subject: Re: [dane] An AD bit discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 17:01:50 -0000

On Thu, 27 Feb 2014, Petr Spacek wrote:

> Now we need to discuss 'a temporary solution' for the case where a validating 
> resolver is not available for whatever reason.

I don't agree with this premise, but those applications can be changed
to use (most error handling removed for clarity):

 	/* one time setup */
 	dnsctx = ub_ctx_create(); /* create unbound resolver context */
 	ub_ctx_hosts(dnsctx, "/etc/hosts") /* emulate POSIX */
 	ub_ctx_resolvconf(dnsctx, "/etc/resolv.conf") /* use nameservers from resolv.conf */
 	ub_ctx_add_ta(dnsctx, rootanchor); /* root key auto-updates via /var/lib/unbound/root.anchor */
 	ub_ctx_set_option(dnsctx, "dlv-anchor:", dlvanchor); /* activate DLV */

 	/* example query */
 	const int qtype = (af == AF_INET6) ? 28 : 1;
 	struct ub_result *result;
 	ub_resolve(dnsctx, qname, qtype, 1 /* CLASS IN */, &result);

 	if (result->bogus) {
                 log("ERROR: %s failed DNSSEC valdation!\n", result->qname);
                 ub_resolve_free(result);
                 [ do application is under attack defense ]
         }

         if (!result->havedata) {
                 if (result->secure) {   /* look, a real AD bit! */
 			[ do application stuff that trusts AD bit ]
 		} else {
 			[ do application stuff with no AD bit ]
 		}
 	}


This has the same effect as stripping out forged AD bits, except real AD
bits survive. It uses whatever nameservers the system has in
/etc/resolv.conf. It supports overrides in /etc/hosts. It does not
require glibc modification. It does not require various applications
read new keywords in resolv.conf or new config files. It has no race
conditions. It's a great band-aid until "tomorrow".

And possibly, the getdns API has an even simpler way of doing this.

Is this really too hard to do today for those old applications that need
to be fixed and for the new applications you will write tomorrow?