[dns-operations] Any known AD=1 intolerant iterative resolvers?
petr.spacek at nic.cz
Wed Apr 15 05:46:38 UTC 2020
On 15. 04. 20 7:23, Florian Weimer wrote:
> This approach does not work because you do not know whether the
> recursive resolver merely echoes back the AD bit, or has actually
> performed DNSSEC validation.
As always, any reliance on AD bit requires out-of-band knowledge whether the other side does validation and can be trusted or not... and I'm sure Viktor knows that.
Glibc (after years and years of deliberation) now has explicit configuration for passing AD bit back to clients:
GLibc commit 446997ff1433d33452b81dfa9e626b8dccf101a4
Author: Florian Weimer <fweimer at redhat.com>
Date: Wed Oct 30 17:26:58 2019 +0100
resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358]
This introduces a concept of trusted name servers, for which the
AD bit is passed through to applications. For untrusted name
servers (the default), the AD bit in responses are cleared, to
provide a safe default.
This approach is very similar to the one suggested by Pavel Šimerda
The DNS test framework in support/ is enhanced with support for
setting the AD bit in responses.
Tested on x86_64-linux-gnu.
Kudos to Florian that he made it happen, it took 6 years to get it upstream!
Petr Špaček @ CZ.NIC
More information about the dns-operations