Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 13 Apr 2020 14:35:22 -0400
From: Rich Felker <dalias@...c.org>
To: Postfix users <postfix-users@...tfix.org>
Cc: musl@...ts.openwall.com
Subject: Re: Outgoing DANE not working

On Mon, Apr 13, 2020 at 02:15:14PM -0400, Viktor Dukhovni wrote:
> > On Apr 13, 2020, at 7:18 AM, Christian <list-christian@....de> wrote:
> > 
> > FYI: I put your findings forward to the musl-libc mailing list and
> > asked what they now think what should be done.
> 
> The problem can be partly resolved by setting the "AD" bit in the
> outgoing DNS query header sent by the musl-libc stub resolver.  Then
> the local iterative resolver will return the AD bit in its response.
> 
> However, lack of support for retrying truncated responses over TCP
> or support for disabling RES_DEFNAMES and RES_DNSRCH remain as issues.

This has also been discussed some on the musl list already
(https://www.openwall.com/lists/musl/2020/04/13/1) but I'm replying
into this thread as well because I'd like to come to some mutually
acceptable solution.

musl's stub resolver intentionally speaks only rfc1035 udp, and the
intent has always been that DNSSEC validation and policy be the
responsibility of the nameserver running on localhost, not the stub
resolver or the calling application. The resolver is intentionally
stateless. It was probably a mistake to provide the fake _res
definition, and I'm interested in resolving that mistake either by
removing it or adding res_n* API that honor (parts of) it at some
point, but determining the right action here and coordinating with
distros to ensure they have fixes in place for anything that breaks
will take a while.

RES_DEFNAMES and RES_DNSRCH are irrelevant as search is never
performed by the res_* interfaces, and domain/search keywords are used
only by the high-level ones (getaddrinfo/getnameinfo and the old
legacy gethostby*).

What is relevant, as far as I can tell, is that Postfix wants a way to
perform an EDNS0 query that lets it distinguish between a valid signed
result and a valid unsigned result. This is currently not possible,
but would be practical to add based on "options edns0" in resolv.conf.
I'm not sure if or how soon that will happen, but determining that is
something I'd like to have come out of this discussion.

>From my perspective, what would work best with what's always been the
intended DNSSEC usage model of musl would be if Postfix supported use
of DANE with smtp_dns_support_level=enabled, i.e. outsourcing all
DNSSEC functionality to the nameserver.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.