This is the mail archive of the
mailing list for the glibc project.
Re: [RFC] support for trusted validating resolver configuration
- From: Pavel Simerda <psimerda at redhat dot com>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha <libc-alpha at sourceware dot org>, Tomas Hozza <thozza at redhat dot com>, Petr Spacek <pspacek at redhat dot com>, Alexandre Oliva <aoliva at redhat dot com>, siddhesh at redhat dot com, schwab at suse dot de, neleai at seznam dot cz, OndÅej SurÃ <ondrej at sury dot org>, P J P <pjp at fedoraproject dot org>
- Date: Mon, 1 Dec 2014 16:51:00 -0500 (EST)
- Subject: Re: [RFC] support for trusted validating resolver configuration
- Authentication-results: sourceware.org; auth=none
- References: <1593405040 dot 320240 dot 1416314424126 dot JavaMail dot zimbra at redhat dot com> <547C83FA dot 9000503 at redhat dot com>
----- Original Message -----
> From: "Florian Weimer" <firstname.lastname@example.org>
> To: "Pavel Simerda" <email@example.com>, "libc-alpha" <firstname.lastname@example.org>
> Cc: "Tomas Hozza" <email@example.com>, "Petr Spacek" <firstname.lastname@example.org>, "Alexandre Oliva" <email@example.com>,
> firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
> Sent: Monday, December 1, 2014 4:06:34 PM
> Subject: Re: [RFC] support for trusted validating resolver configuration
> On 11/18/2014 01:40 PM, Pavel Simerda wrote:
> > Goals:
> > * Applications can rely on the AD flag coming from the library.
> > - It's either cleared out or it comes from a trusted validating
> > resolver.
> Hi Pavel,
> I have looked at the situation, I think there are actually two goals here.
Thanks a lot!
For the record, we're talking about the following proposal:
Basically the proposal shouldn't be read as a cure for all DNSSEC related
issues but rather as an important building block. Technical notes follow.
> (1) Prevent updating the nss_dns configuration from untrusted sources
> (such as DHCP).
The proposal doesn't talk about nss_dns because nsswitch modules don't
currently provide any security information for the results. Instead it
is about the resolver providing API functions like res_query that return
a complete DNS answer including the AD flag that actually carries such
The proposal also recognizes the need to use dynamically obtained data (like
those from DHCP) in the resolver configuration in order to access local
resources and to use the network infrastructure effectively.
Therefore the proposal doesn't assume a restricted environment that would
avoid using resolvers not trusted for validation. As a result, it is useful
in all sorts of setups and when its basic assumptions (see later) are met,
it provides universal guarantees for libraries and applications.
> (2) The AD flag matter.
> I think (1) is a separate issue because there are so many things that
> can unexpectedly edit /etc/resolv.conf,
The proposal provides the same guarantees whether /etc/resolv.conf is guarded
from being replaced/rewritten or not.
> essentially taking a trust,
> local validating resolver (whether recursive or not) out of the picture.
One of the main features of the proposal is that /etc/resolv.conf contents
don't define the trusted validating resolver.
> It's better to consider (2) because that part is really complex. (I
> firmly believe we should in no way encourage applications to alter
> behavior on the AD bit
As far as I understand, the AD flag is the standard way the trusted
validator signals that the returned data is authenticated (using DNSSEC).
An application that relies on the security level of the data has
therefore no other choice than directly or indirectly:
1) Derive the authenticity from the *AD flag* when the trusted validator
is contacted using DNS (e.g. via the stub resolver in libc). The proposal
ensures that it is safe to use the AD flag from the stub resolver.
2) Derive the authenticity from *an equivalent of the AD flag* when the
trusted validator is contacted via other means or the application performs
validation itself. The proposal avoids the need to perform the validation
in the application itself (e.g. using libunbound).
Correct me if I'm wrong.
> But the nice thing is that if there is a foolproof way to lock a system
> to a trusted resolver,
The proposal ensures that for retrieving data from insecure zones, there
is no difference between a trusted validator and any other resolver. For
retrieving data from secure zones, it ensures that an untrusted resolver
cannot spoof the validation data.
In addition to the proposal, the operating system should employ techniques
to maximize the availability of the trusted validator in order to provide
security aware applications with validation data whenever possible as well
as to provide opportunistic(*) security to all applications. We are working
on this in the dnssec-trigger and unbound projects and we appreciate
(*) Where the opportunity depends on whether the zone is evaluated as signed
using a chain of trust. Please correct me if there's a better term for it.
> then the correctness of the AD bit matters less (in the sense that you can be
> sure that you receive DNS data at the security level specified by
> relevant zone operators).
This is useful for the opportunistic security (as specified above). Security
aware applications still need the AD flag (or an equivalent) to learn the
actual security level. Some data like TLSA, IPsec keying material and
SSH key fingerprints can only be used authenticated.
> For goal (1), there is also the question where the contents of
> /etc/resolv-secure.conf will come from. Obviously, DHCP is out.
Looks like I omitted this information in the original posting. Untrusted
sources like DHCP may still be needed to configure the trusted validating
resolver *whose* address ends up in /etc/resolv-secure.conf.
Please treat the following list of situations as an amendment to the proposal:
* /etc/resolv-secure.conf contains just 127.0.0.1 and we have a locally
running validating name server. This is part of what dnssec-trigger with
unbound achieves, but can be done manually as well.
* In a managed environment /etc/resolv-secure.conf includes the address of
a validating name server that is securely reachable. This may apply to a
host with containers or virtual machines, as well as a secure network
managed by an automated tool.
* The administrator really knows what he's doing, secures the network on his own,
and drops the address of a name server in /etc/resolv-secure.conf that will
be trusted to express the validation result using the AD flag.
Thank you again for finding time to review the proposal. As you see on the mailing
list, it's not easy to get feedback in this area.