This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Building consensus over DNSSEC enhancements to glibc.
- From: Paul Wouters <pwouters at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>, Rich Felker <dalias at libc dot org>, Simo Sorce <simo at redhat dot com>
- Cc: Petr Spacek <pspacek at redhat dot com>, libc-alpha at sourceware dot org
- Date: Tue, 17 Nov 2015 14:55:18 +0900
- Subject: Re: Building consensus over DNSSEC enhancements to glibc.
- Authentication-results: sourceware.org; auth=none
- References: <563CED63 dot 1070201 at redhat dot com> <20151106182835 dot GC3818 at brightrain dot aerifal dot cx> <563D0953 dot 9020707 at redhat dot com> <56407C19 dot 2080906 at redhat dot com> <20151109180310 dot GO3818 at brightrain dot aerifal dot cx> <5649A3F3 dot 2060309 at redhat dot com> <20151116161642 dot GQ3818 at brightrain dot aerifal dot cx> <564A0FED dot 9010408 at redhat dot com> <20151116181740 dot GS3818 at brightrain dot aerifal dot cx> <564A1E3E dot 5090703 at redhat dot com> <20151116182322 dot GU3818 at brightrain dot aerifal dot cx> <564AB3F9 dot 4020404 at redhat dot com>
On 11/17/2015 01:58 PM, Carlos O'Donell wrote:
> The option strips the AD-bit from responses returned by libresolv to
> cause all applications using libresolv to see unauthenticated data.
>
> e.g.
>
> openssh-7.1p1/openbsd-compat/getrrsetbyname.c
>
> 274 #ifdef HAVE_HEADER_AD
> 275 /* check for authenticated data */
> 276 if (response->header.ad == 1)
> 277 rrset->rri_flags |= RRSET_VALIDATED;
> 278 #endif
>
> openssh-7.1p1/dns.c
>
> 239 if (fingerprints->rri_flags & RRSET_VALIDATED) {
> 240 *flags |= DNS_VERIFY_SECURE;
> 241 debug("found %d secure fingerprints in DNS",
> 242 fingerprints->rri_nrdatas);
> 243 } else {
>
> This would prevent the ssh client from thinking it had secure
> fingerprints loaded via DNS.
>
> A secure system that is migrating from being insecure to having
> validation over a secure channel (local validating resolver) would
> immediately set the options flag in /etc/resolv.conf before
> upgrading and clear it after the upgrade when the results could
> be trusted.
>
> Optionally NetworkManager via resolvconf (coordinating /etc/resolv.conf
> changes) could set the option if only one insecure public network
> was connected to the system.
So indeed, this is an insecure solution. One write to /etc/resolv.conf and all
trusted applications are compromised. Applications like gpg or ssh or openpgpkey-milter
or even browsers checking TLSA records should not bet their security on this.
If that is the only API to be offered, I recommend we patch the applications with the
"postfix method" instead and for now limit ourselves with dnssec only if localhost is
specified in resolv.conf.
Note that with the openssh client, I have seen situations where it trusts the SSHFP while it should not. I haven't
figured out exactly when this happens. It is not easilly reproducable.
Paul
Paul