On Thu, 27 Feb 2014, Viktor Dukhovni wrote:
It sounds like there is no strong objection to defaulting to no trust.
Well, Andrew and I voiced concerns about breaking current common deployments.
So likely RedHat should proceed with extensions to resolv.conf to express the trust status of the nameserver list, and improvements to libresolv. The default stub-resolver policy can reasonably be non-trust of all nameservers (typically from DHCP).
But it is so much better for all server installs to just install a validating resolver, point resolv.conf to localhost, and use the DHCP obtained DNS servers (or admin configured DNS servers) as forwarders. Then all applications can trust the AD bit. That's a simply a reality that's possible today. Even upgrading machines to this is not that hard. The only really difficult case is the roaming device that has to deal with captive portals. dnssec-trigger+unbound isn't cutting it for the average user yet. While the glibc change would protect them, without dnssec-trigger+unbound they are in a complete insecure dns mess anyway, that I think a bogus AD flag is the least of the trouble. That's why I'm not really in favour of adding legacy to glibc or resolv.conf. Especially because there are also so few applications that actually do anything with AD bits, plus we are still working on API and DNSOP documents on how to improve/secure the DNS transport for talking to remote servers. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
