On 15. 04. 20 7:23, Florian Weimer wrote: > This approach does not work because you do not know whether the > recursive resolver merely echoes back the AD bit, or has actually > performed DNSSEC validation.
As always, any reliance on AD bit requires out-of-band knowledge whether the other side does validation and can be trusted or not... and I'm sure Viktor knows that. Glibc (after years and years of deliberation) now has explicit configuration for passing AD bit back to clients: GLibc commit 446997ff1433d33452b81dfa9e626b8dccf101a4 Author: Florian Weimer <[email protected]> Date: Wed Oct 30 17:26:58 2019 +0100 resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358] This introduces a concept of trusted name servers, for which the AD bit is passed through to applications. For untrusted name servers (the default), the AD bit in responses are cleared, to provide a safe default. This approach is very similar to the one suggested by Pavel Šimerda in <https://bugzilla.redhat.com/show_bug.cgi?id=1164339#c15>. The DNS test framework in support/ is enhanced with support for setting the AD bit in responses. Tested on x86_64-linux-gnu. Change-Id: Ibfe0f7c73ea221c35979842c5c3b6ed486495ccc Kudos to Florian that he made it happen, it took 6 years to get it upstream! Historical notes: https://www.sourceware.org/glibc/wiki/DNSSEC -- Petr Špaček @ CZ.NIC _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
