Update to DNSSEC design document.

Petr Špaček petr.spacek@nic.cz
Thu May 21 08:48:08 GMT 2020 

On 21. 05. 20 10:27, Alexander Monakov wrote:
> On Thu, 21 May 2020, Petr Špaček wrote:
> 
>> In my optinion:
>> - AD bit stripping ensures the application can trust the answer (which is
>> exactly tu purpose of AD bit).
> 
> I don't see how absence of AD bit implies that the application can trust the
> answer, and I think you and Rich are talking from different standpoints here.

No, this is misunderstandig. It is exactly the opposite, see below.


> I apologize if I misunderstand something, but let me summarize in simpler
> terms what I imagine is being said:
> 
> I think your position is that if the applications sees the AD bit,
> then there is some code (in the resolver library, probably) that has already
> verified the answer, and would clear the AD bit if it could not be verified.

Yes, this is how DNSSEC is defined _in 2020_, see below.


> I think Rich is talking from the standpoint that if the application sees the AD
> bit, then an authoritative server has set the AD bit in accordance to RFC 3655
> section 2.2 and is thus requesting the recipients to verify it. After seeing the
> AD bit, the application should honor the request and verify the answer. Not sure
> what API could be used for this purpose.

RFC 3655 is obsolete for 15 years now, forgot about it. It was replaced in 2005 by RFCs 4033-4035. AD bit meaning is defined in https://tools.ietf.org/html/rfc4035#section-3.2.3:

3.2.3.  The AD Bit

   The name server side of a security-aware recursive name server MUST
   NOT set the AD bit in a response unless the name server considers all
   RRsets in the Answer and Authority sections of the response to be
   authentic. ...

It was later clarified (but not changed since 2005) in https://tools.ietf.org/html/rfc6840#section-5.8 but that does not change its meaning on receiving side.


> Again, I am probably missing some very essential details here, and even might be
> misrepresenting what either of you said. I think your standpoints are so
> different though, it helps to clarify the overall idea before arguing the
> details.

I'm trying to say that DNSSEC-enabled resolver determies the bit and application can rely on it _as long as it can be sure it was set by a trusted DNSSEC-validating resolver and not modified in transit_. And this is exactly the purpose of AD bit stripping.

Does it clarify my view?

-- 
Petr Špaček  @  CZ.NIC

More information about the Libc-alpha mailing list