Hi,
I've been part of a very long and heated discussion about the trust of the AD bit. I would like to hear from people here what they think. I'm currently aware of two (non-dns utilities) applications that make security decisions based on "blindly" trusting the AD bit: ssh with VerifyHostKeyDNS=yes|ask and Postfix. libreswan and strongswan are examples of applications that use libunbound for in-application DNSSEC validation to avoid needing to trust /etc/resolv.conf DNS servers for the AD bit. First, let me list 4 items everyone seems to agree on: 1 Applications can either do dnssec validation themselves, or trust the AD bit. 2 It is undesirable that each application has its own DNSSEC validation code, trust anchors and DNS cache. 3 It is undesirable that applications blindly trust the AD bit when resolv.conf points to another host as the AD bit could have been modified on the network. 4 In the ideal world tomorrow, each host has its own automatically configured, perfectly working validing DNS server and resolv.conf can be ignored or is always hardcoded with nameserver 127.0.0.1 Now for my question. Until we reach 4), what should we do with the AD bit in getaddrinfo() ? A) strip the AD bit in struct addrinfo for "untrusted nameservers". A new configuration mechanism will allow white-listing nameservers and 127.0.0.1 will always be on the whitelist. B) do nothing C) Something else, please specify Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
