< Networking | NameResolution | DNSSEC
Configuration requirements
The main network configuration tool is NetworkManager. When using DNSSEC it is combined with dnssec-trigger via a script shipped in the dnssec-trigger package.
Common operations
With or without DNSSEC, NetworkManager gathers the list of recursive name servers from DHCP and/or configuration. The purpose of those name servers is to answer DNS queries including those for DNSSEC records. Those name servers are not meant to be trusted for anything else than attempting to answer the queries and especially not for performing DNSSEC validation.
Without DNSSEC
When DNSSEC is not in use, the easiest way to handle the list of name servers is to put it into /etc/resolv.conf so that the stub resolver can do its job.
As /etc/resolv.conf doesn't support advanced configuration, it is often useful to instead configure a local recursive DNS server (e.g dnsmasq or unbound) with the name server list and point the stub resolver to the local host using /etc/resolv.conf.
With DNSSEC
When DNSSEC is in use, after gathering the recursive nameservers, NetworkManager reconfigures a local unbound instance using dnssec-trigger. In this case the stub resolver should point to the local unbound instance and it should be instructed that the local unbound instance is not just an ordinary recursive name server but also a trusted DNSSEC validator.
Problem: There is currently no way to distinguish ordinary recursive name servers and trusted DNSSEC validators in the stub resolver configuration.
DNSSEC requirements on the stub resolver
Glossary
Recursive name server – DNS server used by the system to gather DNS data
Trusted validator – DNS server used by the system to verify DNSSEC signatures
Expected behavior
Hi,
Those distribution policies have been correct for ages. Before DNSSEC was created, noone would question them.
We were looking for a solution where:
1) Application or security library can trust the data from glibc resolver including security information.
2) Resolver can provide unauthenticated DNS data when in non-DNSSEC mode and the list of recursive name servers is configured by a system administrator or an automated tool.
3) Resolver can provide autenticated DNS data when in DNSSEC mode andthe list of trusted resolvers is provided by the system administrator (rarely) or by an automated tool (in most cases giving just 127.0.0.1).
The most important thing is that the application never receives autenticated data that were only verified by an ordinary recursive server. That would mean an implicit trust in an unauthorized and unexpected DNSSEC validator.
Note that a recursive name server is typically a host on the local network announced by DHCP while a trusted validator is typically the local machine which itself is talking to a recursive name server.
Current status
The current implementation in glibc doesn't achieve the goals stated above and doesn't prevent the security problem of implicitly using foreign recursive name servers as trusted DNSSEC validators.
We have an experimental implementation using '/etc/resolv-secure.conf' that solves the problem. I'm looking forward to see any alternatives. The issue has been holding back DNSSEC deployment for long and might cause a lot of damage.
....To be processed....
> Nothing prevents Network Manager from maintaining a list of > trusted DNS servers
In a non-DNSSEC setup, NetworkManager gathers list of recursive name servers (not trusted validators) and writes them to '/etc/resolv.conf' so the resolver can do its job.
In a DNSSEC setup, NetworkManager gathers the very same list of recursive name servers, (through dnssec-trigger) configures the local trusted DNSSEC validator (unbound) and (without our fix) writes 'nameserver 127.0.0.1' to '/etc/resolv.conf'.
In none of the two most common cases above there is any list of trusted DNS servers to be maintained.
> the user has entered by hand, and using those > instead of what is provided via DHCP.
NetworkManager accepts the list of recursive name servers (whether from the user or from DHCP), not the trusted validators. Instead in NetworkManager/dnssec-trigger setups, the trusted validator is always '127.0.0.1'.
> Your focus appears to be to fix an unfixable situation,
It may appear so but it definitely isn't. See the definition of goals at the top of this mail. And we already have an experimental working solution that works in line with the goals.
> you are already on an untrusted network.
There is a huge difference between using an untrusted recursive name server and using an untrusted DNSSEC validator. DNSSEC works great with untrusted recursive name servers but its security is jeopardized by *using them as DNSSEC validators*.
> If anything you need an API to > describe the network trust level e.g. Can I trust the results from > DNS? This way applications will know if the results they have from > any interface are safe.
For DNSSEC, all we need is to never implicitly use recursive name servers as trusted DNSSEC validators. In my opinion, the best way to implement that is to avoid passing security information from ordinary recursive name servers (not configured as trusted DNSSEC validators).
> Until such an API exists I concede that a /etc/resolv.conf option,
> say insecure-dns could be created to remove all security information
> from DNS queries.
It is still wrong to use recursive name servers as trusted DNSSEC validators by default.
> This way if Network Manager knows it is in a "public" > network
This has nothing to do with public networks. It is wrong to use recursive name servers as trusted DNSSEC validators unless explicitly stated.
Using a local name server as trusted DNSSEC validator is on the same level as using a local HTTPS proxy without checking any certificates.
> it will set option insecure-dns in /etc/resolve.conf.
>
> > Of course this is just one way to do it. But I chose it for both ease of
> > implementation which is obvious from the submitted patch, and for its
> > inherent advantages described above. On the other hand, I will be happy
> > to learn about a better solution that will address the same potential
> > issues my patch addresses.
>
> The better solution is a higher level API for determining if you can
> trust the network,
No, because DNSSEC doesn't have the concept of trusting a network at all.
> not breaking end-to-end principles by manipulating > returned DNS packets. I concede that we need a middle ground though. > > I would still like to see, and haven't seen, a detailed design document > with the specific use cases and concrete applications that are driving > these changes e.g. a wiki page somewhere with a design.
Sure.
Cheers,
Pavel