On Thu, 27 Feb 2014, Petr Spacek wrote:
Now we need to discuss 'a temporary solution' for the case where a validating
resolver is not available for whatever reason.
I don't agree with this premise, but those applications can be changed
to use (most error handling removed for clarity):
/* one time setup */
dnsctx = ub_ctx_create(); /* create unbound resolver context */
ub_ctx_hosts(dnsctx, "/etc/hosts") /* emulate POSIX */
ub_ctx_resolvconf(dnsctx, "/etc/resolv.conf") /* use nameservers from
resolv.conf */
ub_ctx_add_ta(dnsctx, rootanchor); /* root key auto-updates via
/var/lib/unbound/root.anchor */
ub_ctx_set_option(dnsctx, "dlv-anchor:", dlvanchor); /* activate DLV */
/* example query */
const int qtype = (af == AF_INET6) ? 28 : 1;
struct ub_result *result;
ub_resolve(dnsctx, qname, qtype, 1 /* CLASS IN */, &result);
if (result->bogus) {
log("ERROR: %s failed DNSSEC valdation!\n", result->qname);
ub_resolve_free(result);
[ do application is under attack defense ]
}
if (!result->havedata) {
if (result->secure) { /* look, a real AD bit! */
[ do application stuff that trusts AD bit ]
} else {
[ do application stuff with no AD bit ]
}
}
This has the same effect as stripping out forged AD bits, except real AD
bits survive. It uses whatever nameservers the system has in
/etc/resolv.conf. It supports overrides in /etc/hosts. It does not
require glibc modification. It does not require various applications
read new keywords in resolv.conf or new config files. It has no race
conditions. It's a great band-aid until "tomorrow".
And possibly, the getdns API has an even simpler way of doing this.
Is this really too hard to do today for those old applications that need
to be fixed and for the new applications you will write tomorrow?
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
