This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Building consensus over DNSSEC enhancements to glibc.


On 11/16/2015 08:39 PM, Zack Weinberg wrote:
> On 11/16/2015 02:07 PM, Petr Spacek wrote: 
>> Please note that necessary level of trust is different for different DNS
>> record types. For A/AAAA records it is widely accepted that results may be
>> forget and applications are counting with that. For other purposes like TLS
>> certificate validation it is necessary to have full confidence in the data, so
>> validation results has to be properly communicated to the application. The
>> list of "must be secure" record types is changing over time, so it is not
>> feasible to hardcode list to resolver libraries.
> 
> Again, applications cannot be trusted to process AD correctly.  The
> correct approach is for the resolver to hardcode a list of records that
> *should* be passed through even if received from an unsigned zone: A,
> AAAA, PTR, MX, SRV, TXT.  I think that's it.

I agree that applications should not see the AD-bit unless processing the
DNS queries and responses themselves (like my example of openssh does in
my other on-thread response).

In the case of the glibc APIs my preferred solution for policy-based
whitelist/blacklist of records as you suggest is for the validating
resolver to make those decisions (relaying them back to the application
via the secured channel).

Cheers,
Carlos.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]