[dns-operations] Any known AD=1 intolerant iterative resolvers?
Petr Špaček
petr.spacek at nic.cz
Wed Apr 15 05:46:38 UTC 2020
On 15. 04. 20 7:23, Florian Weimer wrote:
> This approach does not work because you do not know whether the
> recursive resolver merely echoes back the AD bit, or has actually
> performed DNSSEC validation.
As always, any reliance on AD bit requires out-of-band knowledge whether the other side does validation and can be trusted or not... and I'm sure Viktor knows that.
Glibc (after years and years of deliberation) now has explicit configuration for passing AD bit back to clients:
GLibc commit 446997ff1433d33452b81dfa9e626b8dccf101a4
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Oct 30 17:26:58 2019 +0100
resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358]
This introduces a concept of trusted name servers, for which the
AD bit is passed through to applications. For untrusted name
servers (the default), the AD bit in responses are cleared, to
provide a safe default.
This approach is very similar to the one suggested by Pavel Šimerda
in <https://bugzilla.redhat.com/show_bug.cgi?id=1164339#c15>.
The DNS test framework in support/ is enhanced with support for
setting the AD bit in responses.
Tested on x86_64-linux-gnu.
Change-Id: Ibfe0f7c73ea221c35979842c5c3b6ed486495ccc
Kudos to Florian that he made it happen, it took 6 years to get it upstream!
Historical notes:
https://www.sourceware.org/glibc/wiki/DNSSEC
--
Petr Špaček @ CZ.NIC
More information about the dns-operations
mailing list