On Wed, May 20, 2020 at 05:41:46PM -0400, Wietse Venema wrote:
> Rich Felker:
> [dnssec end-to-end probe, log a warning if for any reason results
> do not have the authentic data' bit set]'.
> > This sounds like a great plan that will also mitigate the problem of
> >
On Wed, May 20, 2020 at 01:59:47PM -0400, Wietse Venema wrote:
> Viktor Dukhovni:
> > On Tue, May 19, 2020 at 05:19:26PM -0400, Wietse Venema wrote:
> >
> > > > https://git.musl-libc.org/cgit/musl/commit/?id=fd7ec068efd590c0393a612599a4fab9bb0a8633
> > >
> > > I understand that the AD (authentic
On Tue, May 19, 2020 at 07:00:57PM -0400, Viktor Dukhovni wrote:
> On Tue, May 19, 2020 at 05:19:26PM -0400, Wietse Venema wrote:
>
> > > https://git.musl-libc.org/cgit/musl/commit/?id=fd7ec068efd590c0393a612599a4fab9bb0a8633
> >
> > I understand that the AD (authentic data) bit now is 'true' if
On Tue, May 19, 2020 at 06:51:57PM -0400, Viktor Dukhovni wrote:
> On Tue, May 19, 2020 at 04:08:32PM -0400, Rich Felker wrote:
>
> > I'm not encouraging any to do that; rather I've encouraged them to
> > take measures to both:
> >
> > (1) ensure that DANE is n
On Tue, May 19, 2020 at 01:25:52PM -0400, Wietse Venema wrote:
> Rich Felker:
> > On Tue, May 19, 2020 at 11:11:56AM -0400, Wietse Venema wrote:
> > > Rich Felker:
> > > > On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> > > > >
On Tue, May 19, 2020 at 11:11:56AM -0400, Wietse Venema wrote:
> Rich Felker:
> > On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> > > Rich Felker:
> > > > The is fundamentally no build-time test possible for this. Even if we
> > > &g
On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> Rich Felker:
> > The is fundamentally no build-time test possible for this. Even if we
> > were willing to make flags for each bug (or missing feature) that was
> > ever fixed indicating the change, that would
On Tue, May 19, 2020 at 09:22:59AM -0400, Wietse Venema wrote:
> Viktor Dukhovni:
> > Robust detection of MUSL features at build time would be much
> > appreciated. Precludes any tests that depend on live DNS queries.
> > The tests need to *statically* test the features of the platform's
> > C
On Tue, May 19, 2020 at 05:06:10AM -0400, Viktor Dukhovni wrote:
> On Tue, May 19, 2020 at 01:44:30AM -0400, Rich Felker wrote:
>
> > > This sounds reasonable. Will there be a way for Postfix to detect the
> > > new library version, so that we don't disable DANE for
On Mon, May 18, 2020 at 10:38:14PM -0400, Viktor Dukhovni wrote:
> On Mon, May 18, 2020 at 09:37:36PM -0400, Rich Felker wrote:
>
> > > Mostly dig, unbound-host, ... Most of the platform C libraries support
> > > DO=1, which obviates the need fo
On Tue, Apr 14, 2020 at 05:59:51PM -0400, Viktor Dukhovni wrote:
> > > That RFC was published in 2013. That's long enough ago.
> >
> > We support environments that haven't been touched since 2009 or so,
> > and to a lesser/minimal-support extent ones that haven't been touched
> > since around
On Sun, Apr 19, 2020 at 02:16:01PM -0400, Viktor Dukhovni wrote:
> On Sun, Apr 19, 2020 at 08:02:41PM +0200, Matus UHLAR - fantomas wrote:
>
> > On 19.04.20 13:11, Wietse Venema wrote:
> >
> > >Warning: libc-musl breaks DANE/TLSA security.
> > >Use a glibc-based Linux distribution instead.
> >
On Sat, Apr 18, 2020 at 03:01:08PM -0400, Viktor Dukhovni wrote:
> On Sat, Apr 18, 2020 at 01:04:58PM -0400, Rich Felker wrote:
>
> > > You can consider libc-musl as unsupported from now on.
> >
> > I am really not appreciating the hostility and utterly petty
>
On Sat, Apr 18, 2020 at 10:59:51AM -0400, Wietse Venema wrote:
> Rich Felker:
> > > It would be a mistake to use TLSA records from an unsigned domain.
> > > That would be no more secure than accepting a random server
> > > certificate. All the pain of doing T
On Fri, Apr 17, 2020 at 06:59:53PM -0400, Wietse Venema wrote:
> Rich Felker:
> > I can see where it could be desirable to log whether delivery was made
> > based on a TLSA record in a signed domain vs an unsigned one, and this
> > necessitates being able to see the
On Fri, Apr 17, 2020 at 07:01:26PM -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 06:52:48PM -0400, Rich Felker wrote:
>
> > > There are (unsigned) domains where any attempt to look up TLSA records
> > > times out or otherwise fails. If DANE is t
On Fri, Apr 17, 2020 at 06:27:27PM -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 06:19:18PM -0400, Rich Felker wrote:
>
> > This reasoning is why I consider it harmful to limit use of DANE
> > records to situations where the DNS lookup is "trusted" to have b
On Fri, Apr 17, 2020 at 08:13:52PM +0200, Florian Weimer wrote:
> * Wietse Venema:
>
> > Florian Weimer:
> >> * Wietse Venema:
> >>
> >> > Vladimir Lomov:
> >> >> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with
> >> >> 'options trust-ad' and postfix 3.5.0 or it is depend
On Wed, Apr 15, 2020 at 08:27:08PM +0200, Florian Weimer wrote:
> >> I don't understand your PTR example. It seems such a fringe case that
> >> people produce larger PTR responses because they add all virtual hosts
> >> to the reverse DNS zone. Sure, it happens, but not often.
> >
> > I think
On Wed, Apr 15, 2020 at 07:19:43PM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > This is true for users running local nameservers, which ideally will
> > eventually be everyone, but at present that's far from the case.
> > Differences like concurrent attempts f
On Tue, Apr 14, 2020 at 02:16:20AM -0400, Viktor Dukhovni wrote:
> On Mon, Apr 13, 2020 at 11:53:03PM -0400, Rich Felker wrote:
>
> > > Your local nameserver has already done the TCP failover and paid the
> > > cost of obtaining the full RRset, your stub resolver is ju
On Mon, Apr 13, 2020 at 05:41:38PM -0400, Viktor Dukhovni wrote:
> > Fallback to tcp on TC would also yield very bad performance for users
> > who are not running a local nameserver whenever looking up names with
> > ridiculous numbers of A/ records, where the truncated response
> > certainly
On Mon, Apr 13, 2020 at 03:04:12PM -0400, Viktor Dukhovni wrote:
> On Mon, Apr 13, 2020 at 02:35:22PM -0400, Rich Felker wrote:
>
> > > The problem can be partly resolved by setting the "AD" bit in the
> > > outgoing DNS query header sent by the musl-libc st
On Mon, Apr 13, 2020 at 02:15:14PM -0400, Viktor Dukhovni wrote:
> > On Apr 13, 2020, at 7:18 AM, Christian wrote:
> >
> > FYI: I put your findings forward to the musl-libc mailing list and
> > asked what they now think what should be done.
>
> The problem can be partly resolved by setting the
24 matches
Mail list logo