On Fri, Feb 28, 2014 at 01:12:36PM +0100, Petr Spacek wrote:
[ Not very comments by others addressing this I'm afraid. :-( ]
> 1) Add a new boolean to /etc/resolv.conf:
> options resolvers-trusted
> - If present, this option states that "admin ensured that recursor
> is trustworthy and the communication link between recursor and
> stub-resolver is secure".
> - If present, the AD bit will be passed from recursors to applications as-is.
> - If not present, the AD bit sent to a applications will be always 0.
> - E.g. the option will be present on a system with locally running Unbound.
> - E.g. the option *will not* be present on thin client, compute node
> in data centre, a random laptop installed today with default
> configuration etc.
>
> Objections:
> - There is a chance that dhcp client copies "options" from old
> resolv.conf to new one. In that case simplest variant "options
> resolvers-trusted" is insecure if one configured e.g. local trusted
> recursor and DHCP client was started after that.
If this concern is well founded, (i.e. there is evidence of at
least one DHCP client implementation that does this), then indeed
the boolean looks questionable, a white-list in a separate file is
more robust. If so, and you want to protect naive applications
from possibly insecure AD bits on systems that don't employ a local
validating resolver, then the AD bit should be suppressed whenever
a non-empty subset of the designated resolvers is not white-listed.
It would be a mistake to suppress the AD bit selectively for just
a subset of the resolvers based on where the answer came from.
> 2) Add a function call for run-time check (for library users):
> boolean dns_resolvers_trusted(resolver);
Where "resolver" means the complete resolver context, i.e. all
nameservers trusted, ...
There would ideally (in each updated legacy implementation) be a
new macro #defined that promises the existence of this function
and the possibility of AD bit suppression. This could be a new
option macro that enables applications to request bare AD bits
without RRSIG records if both features are introduced together in
implementations of the library on multiple platforms (i.e. ultimately
by the upstream maintainer, rather than a downstream release-specific
patch).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
