On Wed, Nov 17, 2021 at 01:05:05PM -0800, tho...@habets.se wrote:
> On Wed, 17 Nov 2021 20:46:46 +0000, Otto Moerbeek <o...@drijf.net> said:
> > Well, I should have been more clear as well, dig sets both the AD bit
> > (by default) and the DO bit (on +dnssec). More clienst do this. This
> > is part of the can of worms.
>
> Right, yeah. I misunderstood the AD bit in the query being the
> trigger, but as you say it's the DO, and as the RFC says, queries
> shouldn't set the AD.
I wasn't comlete and not right, as Florian is saying, a more recent
RFC does define the AD bit for queries. Sorry about that oversight.
Sometimes it's hard to keep track of all the relevant RFCs.
So AD bit in a query gets you a potential AD bits set in the reply,
but without the records needed to validate the signature, you have to
trust the resolver. Setting the DO bit does get you the DNSSEC records
in addition to the AD bit in the reply if valiudation succeeded. That
is also a reason setting the DO bit is a can of worms, it grows the
response sizes and not all equipment handles tat properly.
>
> > You are forcing *all* clients resolving to use dnssec. Only a solution
> > that limits the scope to the the smallest case (ssh doing an
> > getrrsetbyname() for DNS_RDATATYPE_SSHFP is likely acceptable. Sadly
> > the context used by resolving is program-wide, so setting a flag in
> > _res is also not going to work.
>
> Yeah. For the machine I'm on I actually want all DNS requests system
> wide to use DNSSEC. So personally that's working as intended. But I
> see your point.
>
> Currently there's no way to get a signed response, right?
>
> With my patch for a per-program level option I just successfully
> tested:
>
> RES_OPTIONS=dnssec ssh foo.example.com
>
> But of course it doesn't limit to just getrrsetbyname().
>
> Is the asr_ctx (where flags look like they live) program-wide, or just
> thread wide? I can basically hear you cringing already, so maybe the
> only real solution is to have getrrsetbyname_async_run() pass in flags
> to _res_query_async_ctx()->setup_query() to OR in the option?
>
> And then maybe have getrrsetbyname() call that stack twice, once with
> and once without RES_USE_DNSSEC, in case DNSSEC is broken?
After sleeping on it, likely setting the DO bit for a single query can
be done like ntpd is doing for the CD bit, see probe_root_ns() in
ntp_dns.c
But I agree with Florian that setting the AD bit on the query is
better, although afaik, there is no way of doing that yet.
-Otto
