Hi Paul, On 26. 2. 2014, at 15:12, Paul Wouters <[email protected]> wrote:
> Hi, > > I've been part of a very long and heated discussion about the trust of > the AD bit. I would like to hear from people here what they think. > > I'm currently aware of two (non-dns utilities) applications that make > security decisions based on "blindly" trusting the AD bit: ssh with > VerifyHostKeyDNS=yes|ask and Postfix. > > libreswan and strongswan are examples of applications that use libunbound > for in-application DNSSEC validation to avoid needing to trust > /etc/resolv.conf DNS servers for the AD bit. > > First, let me list 4 items everyone seems to agree on: > > 1 Applications can either do dnssec validation themselves, or trust the > AD bit. > > 2 It is undesirable that each application has its own DNSSEC validation > code, trust anchors and DNS cache. > > 3 It is undesirable that applications blindly trust the AD bit when > resolv.conf points to another host as the AD bit could have been modified > on the network. > > 4 In the ideal world tomorrow, each host has its own automatically > configured, perfectly working validing DNS server and resolv.conf can > be ignored or is always hardcoded with nameserver 127.0.0.1 My personal opinion on that matter is that the application should not have to care about that and they should just use (some) API to get the validated response from system library (not necessarily glibc). > Now for my question. Until we reach 4), what should we do with the AD > bit in getaddrinfo() ? > > A) strip the AD bit in struct addrinfo for "untrusted nameservers". A new > configuration mechanism will allow white-listing nameservers and 127.0.0.1 > will always be on the whitelist. This seems to be reasonable to me for the time being. > B) do nothing > > C) Something else, please specify O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
