[dns-operations] Any known AD=1 intolerant iterative resolvers?

Petr Špaček petr.spacek at nic.cz
Wed Apr 15 05:46:38 UTC 2020


On 15. 04. 20 7:23, Florian Weimer wrote:
> This approach does not work because you do not know whether the
> recursive resolver merely echoes back the AD bit, or has actually
> performed DNSSEC validation.

As always, any reliance on AD bit requires out-of-band knowledge whether the other side does validation and can be trusted or not... and I'm sure Viktor knows that.

Glibc (after years and years of deliberation) now has explicit configuration for passing AD bit back to clients:

GLibc commit 446997ff1433d33452b81dfa9e626b8dccf101a4
Author: Florian Weimer <fweimer at redhat.com>
Date:   Wed Oct 30 17:26:58 2019 +0100

    resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358]
    
    This introduces a concept of trusted name servers, for which the
    AD bit is passed through to applications.  For untrusted name
    servers (the default), the AD bit in responses are cleared, to
    provide a safe default.
    
    This approach is very similar to the one suggested by Pavel Šimerda
    in <https://bugzilla.redhat.com/show_bug.cgi?id=1164339#c15>.
    
    The DNS test framework in support/ is enhanced with support for
    setting the AD bit in responses.
    
    Tested on x86_64-linux-gnu.
    
    Change-Id: Ibfe0f7c73ea221c35979842c5c3b6ed486495ccc

Kudos to Florian that he made it happen, it took 6 years to get it upstream!


Historical notes:
https://www.sourceware.org/glibc/wiki/DNSSEC

-- 
Petr Špaček  @  CZ.NIC



More information about the dns-operations mailing list