feature request: modify getrrsetbyname() to use libunbound

Thu May 10 04:56:08 EST 2012

On Wed, May 09, 2012 at 08:59:53AM -0400, Robert Story wrote:
> On Wed, 09 May 2012 12:44:13 +0200 Ond??ej wrote:
> > There is only one pitfall. The autonomous validation is attempted
> > only if the DNS response does not contain the AD flag. Therefore if
> > someone changes the DNS response on the wire and leaves the AD flag
> > set, spurious data are trusted without further validating.

Ondrej: Thanks for pointing this out.  (I had to dig through ldns source
to find the 'anchor' directive -- agree poorly documented feature.)

> > This is not secure, as link between computer and DNS resolver
> > cannot be generally trusted.  

This is the whole point of the unbound patch and our request.  I don't
want to trust the AD flag from an upstream resolver (like my ISP).  But I
also don't want to tell users to install a local resolver.

> Yes, which is why we prefer our DNSSEC-Tools libval patch, which always
> does local validation and does not depend on the AD flag.
> 
> 	https://bugzilla.mindrot.org/show_bug.cgi?id=1672

Robert, this is a very well written rationale for local DNSSEC
validation.  I agree with you: it is very important to have openssh
perform anchored DNSSEC validations and not trust the AD flag.

There seem to be three possible approaches (please correct me if I'm
wrong).  If the library-specific implementation is encapsulate in
getrrsetbyname(), we could support all three.

(1) modify the current ldns version of getrrsetbyname() to not trust the
AD flag and to perform anchored validations (possibly optionally based on
whether StrictDnssecChecking is set)

(2) make use of Robert's DNSSEC-Tools-based implementation; could the
DNSSEC-Tools-specific implementation be moved from verify_host_key_dns()
to getrrsetbyname()?

(3) make use of a libunbound-based implementation (which might not be
able to support StrictDnssecChecking=no); could be redundant given (1)
but allows for significant configuration... though one could argue "just
install unbound" if one needs that much tweaking

Is it too ugly to have the validation-enforcing implementations of
getrrsetbyname() function be aware of options->strict_dnssec_checking?

If the underlying tool makes use of a specific supplementary file
(/etc/resolv.conf or /etc/ssh/ssh_unbound_config), then we can allow for
external configuration without introducing additional configuration
directives in ssh_config).

I don't use OpenBSD but, in looking through it's source, it seems that
nothing in the getrrsetbyname() -> res_query() -> res_mkquery() chain
enforces anchored DNSSEC validation.  In other words, OpenBSD also
trusts the AD flag (please correct me if I'm mistaken).

I hope this means that openssh and openssh-portable would not need to be
too different as anchored DNSSEC validation might be of interest to the
OpenBSD community, also.

-- 
Luca Filipozzi
Member, Debian System Administration Team