DNSSEC validation via AD bit?

Mark Andrews marka at isc.org
Mon Jan 31 00:29:55 UTC 2022 


> On 31 Jan 2022, at 10:45, Gregory Shapiro via bind-users <bind-users at lists.isc.org> wrote:
> 
> sendmail's implementation of DANE determines whether DNSSEC validation was successful based on the presence of the AD bit in the response to the DANE record lookup.  
> 
> An equivalent dig lookup would be:
> 
>    % dig TLSA _25._tcp.smtp.gshapiro.net.
>    ...
>    ;; Got answer:
>    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 160
>    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>    ...
>    ; ANSWER SECTION:
>    _25._tcp.smtp.gshapiro.net. 5   IN      TLSA    3 1 1 8B2B0BF34A1D650A91399A28D5E6BBF377FB5319E9850078538164F5 557CD5BA
> 
> As you can see above the flags returned include "ad".
> 
> However, if sendmail is run on a server that lists the authoritative nameserver for a domain as a resolver (/etc/resolv.conf), the AD bit is not returned for lookups of those authoritative domains.  For example, when running the above dig command pointing at ns.gshapiro.net (running BIND 9.16.24), the AD bit is not returned:
> 
>> dig TLSA _25._tcp.smtp.gshapiro.net. @ns.gshapiro.net
>    ...
>    ;; Got answer:
>    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45940
>    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>    ...
>    ;; ANSWER SECTION:
>    _25._tcp.smtp.gshapiro.net. 120 IN      TLSA    3 1 1 8B2B0BF34A1D650A91399A28D5E6BBF377FB5319E9850078538164F5 557CD5BA
> 
> Two questions:
> 
> 1. Is there a reason when BIND is running as both a recursive server and an authoritative server for a domain, it doesn't set the AD bit when answering resolver queries for one of its authoritative domains?

Because it is not required.  Validation really should be performed by the application as well as the resolver.

You can use views to have named return AD for locally served zones.

> 2. Should sendmail not be trusting the AD bit in replies from the admin configured (i.e., trusted by admin) resolvers?  I.e., should sendmail be doing something different for DANE DNSSEC validation?  Note that DANE doesn't allow for treating the authoritative server differently so I don't believe we can use the AA bit as a substitute for the AD bit.

It should be performing its own validation.  DNSSEC validation was intended to be done by applications from the very beginning.  Also look at all the caveats about using AD.  Are you using transport security to protect the AD state?  Have you checked that AD is not being copied from the request to the reply as there are lots of broken DNS servers that do this.  AD is a useful diagnostic signal but really shouldn’t be used for much more.

> Thanks!
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list