DNSSEC validation via AD bit?
Petr Špaček
pspacek at isc.org
Tue Feb 1 08:28:26 UTC 2022
On 31. 01. 22 11:50, Tony Finch wrote:
>> 2. Should sendmail not be trusting the AD bit in replies from the admin
>> configured (i.e., trusted by admin) resolvers?
> It's dangerous territory. Sendmail isn't alone: for example, OpenSSH also
> relies on the AD bit to validate SSHFP records. But using AD is only safe
> if the validating resolver is running on localhost. Unfortunately the
> portable subset of the resolver API doesn't allow programs to check their
> recursive server addresses, so they just have to hope that they have been
> configured by a careful person. (On a mail server there are also
> performance reasons for running a local resolver, so I guess you are OK in
> this respect.)
Let me add one more detail. To make this more explicit, glibc since 2.31
added "options trust-ad" into resolv.conf. See
https://man7.org/linux/man-pages/man5/resolv.conf.5.html and search for
trust-ad.
I hope it helps.
--
Petr Špaček @ Internet Systems Consortium
More information about the bind-users
mailing list