DNSSEC validation via AD bit?

Sun, 30 Jan 2022 15:46:14 -0800 

sendmail's implementation of DANE determines whether DNSSEC validation was 
successful based on the presence of the AD bit in the response to the DANE 
record lookup.  

An equivalent dig lookup would be:

    % dig TLSA _25._tcp.smtp.gshapiro.net.
    ...
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 160
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ...
    ; ANSWER SECTION:
    _25._tcp.smtp.gshapiro.net. 5   IN      TLSA    3 1 1 
8B2B0BF34A1D650A91399A28D5E6BBF377FB5319E9850078538164F5 557CD5BA

As you can see above the flags returned include "ad".

However, if sendmail is run on a server that lists the authoritative nameserver 
for a domain as a resolver (/etc/resolv.conf), the AD bit is not returned for 
lookups of those authoritative domains.  For example, when running the above 
dig command pointing at ns.gshapiro.net (running BIND 9.16.24), the AD bit is 
not returned:

    > dig TLSA _25._tcp.smtp.gshapiro.net. @ns.gshapiro.net
    ...
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45940
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ...
    ;; ANSWER SECTION:
    _25._tcp.smtp.gshapiro.net. 120 IN      TLSA    3 1 1 
8B2B0BF34A1D650A91399A28D5E6BBF377FB5319E9850078538164F5 557CD5BA

Two questions:

1. Is there a reason when BIND is running as both a recursive server and an 
authoritative server for a domain, it doesn't set the AD bit when answering 
resolver queries for one of its authoritative domains?

2. Should sendmail not be trusting the AD bit in replies from the admin 
configured (i.e., trusted by admin) resolvers?  I.e., should sendmail be doing 
something different for DANE DNSSEC validation?  Note that DANE doesn't allow 
for treating the authoritative server differently so I don't believe we can use 
the AA bit as a substitute for the AD bit.

Thanks!

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to