|
|
Log in / Subscribe / Register

Re: Building consensus over DNSSEC enhancements to glibc.

[Posted November 17, 2015 by corbet]

From:  Simo Sorce <simo-AT-redhat.com>
To:  Rich Felker <dalias-AT-libc.org>
Subject:  Re: Building consensus over DNSSEC enhancements to glibc.
Date:  Fri, 6 Nov 2015 15:10:59 -0500
Message-ID:  <563D0953.9020707@redhat.com>
Cc:  Petr Spacek <pspacek-AT-redhat.com>, libc-alpha-AT-sourceware.org, Paul Wouters <pwouters-AT-redhat.com>

On 06/11/15 13:28, Rich Felker wrote:
> On Fri, Nov 06, 2015 at 01:11:47PM -0500, Simo Sorce wrote:
>> On 06/11/15 12:59, Rich Felker wrote:
>>> On Fri, Nov 06, 2015 at 10:42:38AM +0100, Petr Spacek wrote:
>>>> On 5.11.2015 02:23, Rich Felker wrote:
>>>>> On Wed, Nov 04, 2015 at 03:44:48PM -0500, Carlos O'Donell wrote:
>>>>>> Community,
>>>>>>
>>>>>> I have written up a summary of the mailing list discussions
>>>>>> surrounding DNSSEC and the enhancements required to better
>>>>>> support it in glibc.
>>>>>>
>>>>>> https://sourceware.org/glibc/wiki/DNSSEC
>>>>>>
>>>>>> Any thoughts or comments would be much appreciated.
>>>>>
>>>>> While I'm not opposed to clean ways to expose DNSSEC trust to
>>>>> applications, I don't see a bit libc role in the ideal client setup:
>>>>> you just run a local nameserver that verifies DNSSEC and replies with
>>>>> ServFail upon receiving forged reslts/results that are supposed to be
>>>>> signed but aren't.
>>>>
>>>> This scheme is okay in principle and we want to deliver it in Fedora, however,
>>>> it is missing one important aspect: It has to fail safe.
>>>>
>>>> If the local validating resolver is not available for whatever reason the
>>>> application cannot rely on AD bit - doing so would be a security nightmare
>>>> because an attacker could easily spoof SSL/SSH key fingerprints etc.
>>>
>>> In such a configuration, if the local validating resolver is not
>>> available, all lookups fail with an inconclusive error.
>>>
>>> Presumably you're assuming having a non-local backup nameserver
>>> configured. Such a configuration is inherently broken and insecure.
>>> resolv.conf should contain nothing but "nameserver 127.0.0.1" on a
>>> DNSSEC enabled system.
>>
>> The problem is what happen if you configure the system to have
>> 127.0.0.1 in the normal case, then you attach a new network
>> interface and suddenly resolv.conf is changed to point to something
>> else (whatever DNS is passed to a dhcp client or vpn client or ...).
>
> On a system configured with DNSSEC you do not allow resolv.conf to be
> changed by dhcp clients. Doing so is a bug.

It is not whether you want it, it is what do you do when (not if) it 
happens.

Look, we all want DNSSEC, and we all want a local resolver and avoid bad 
resolv.conf configuration, but we all also know that desires and reality 
are two different thing.

Our end goal with Fedora (and eventually RHEL) is to end up with a 
default local resolver and NetworkManager (or other appropriate daemon) 
controlling resolv.conf (probably setting it with the immutable 
filesystem flag and what not).

However we are not there, and there are ton of Linux distributions that 
we have no say over and will continue to allow dhclient, vpn clients, 
and whatnot to change resolv.conf

In order for *any* application to be able to trust glibc's AD bit, glibc 
must give guarantees that it will not serve data from untrusted servers 
(or exposes indication about trustability).

To do that glibc needs to know that a server *is* indeed trusted. and 
looking at the nameserver field is obviously not sufficient, because no 
matter how ardently we desire so, common/existing configuration managers 
slap in random servers with no regard.

So how do we indicate to glibc that a server is trusted in a way that 
applications can trust it and other commonly used resolver libraries 
(like c-ares for example) can learn to use ?

We need a (positive) way to tell glibc, unequivocally, that the system 
is handled by a configuration manager (whether that is software or an 
admin manually setting configuration options doesn't matter) that is 
aware and know how to properly set the system for DNSSEC.

The easiest mostr compatible way to tell glibc is by adding/changing an 
option in resolv.conf, an option not used by current existing 
configuration managers.

Then glibc has two options to deal with applications:
  - always strip AD bits unless trusted resolver is enabled
or
  - add a new public function that applications can call to query if 
glibc is currently configured with a trusted resolver or not.


A situation in which glibc does not use an explicit configuration option 
to signal applications that it is using a trusted resolver is not useful 
... no scratch that, it is actively harmful, because applications 
developers will quickly realize they cannot trust any information coming 
from glibc and will simply not use it for DNSSEC related information.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

to post comments


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds