[exim] Upcoming Glibc changes and DANE support in Exim, Post…

Pàgina inicial
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
A: exim-users
Assumpte: [exim] Upcoming Glibc changes and DANE support in Exim, Postfix, and perhaps other MTAs
On Tue, Apr 14, 2020 at 05:59:51PM -0400, Viktor Dukhovni wrote:

Apparently the Glibc 2.31 (released Feb 2020) stub resolver either
always solicits or always censors the AD-bit from its configured
forwarding nameservers:

    https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461/3/NEWS


    * The DNS stub resolver will optionally send the AD (authenticated data) bit
      in queries if the trust-ad option is set via the options directive in
      /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options).  In this
      mode, the AD bit, as provided by the name server, is available to
      applications which call res_search and related functions.  In the default
      mode, the AD bit is not set in queries, and it is automatically cleared in
      responses, indicating a lack of DNSSEC validation.  (Therefore, the name
      servers and the network path to them are treated as untrusted.)


I read this to mean that the new "trust-ad" option, if set, causes the
Glibc stub resolver to set AD=1 in queries, but *otherwise*, causes it
to strip the AD bit from replies.

I don't yet have access to systems with this recent a Glibc to confirm
the above, but this is likely relevant to Exim administrators who enable
DANE. Once you upgrade to Glibc 2.31 or higher, you'll need to explicitly
add the "trust-ad" option to your /etc/resolv.conf, while of course also
making sure that all the listed nameservers are local (loopback interface).

This Glibc change also obviates the need to set "RES_USE_DNSSEC" in the
resolver options, because setting the "AD" bit in outgoing queries is
sufficient in modern (post 2013) resolvers:

    https://tools.ietf.org/html/rfc6840#section-5.7


to solicit the AD bit in the reply, without the excess baggage of RRSIGs
and NSEC records, which Exim doesn't actually need, since no DNSSEC
validation is done in Exim itself. Indeed setting RES_USE_DNSSEC
becomes useless, since without "options trust-ad" in /etc/resolv.conf,
all you get is the RRSIGs and NSEC records, the AD bit is censored.

In the case of Postfix, I am inclined to update the DNS lookup routines
to explicitly test for "RES_TRUSTAD" being defined, in which case I no
longer bother with RES_USE_DNSSEC, and instead log a warning that
validated results are not available when that bit is not set in
_res.options (after res_init() when appropriate).

    https://marc.info/?l=postfix-users&m=158694154122255&w=2


Changes along these lines may also be appropriate in Exim to ensure
working DANE support with Glibc >= 2.31. That is, users who upgrade may
not notice that DANE has stopped working, and a warning in the logs
should help. And FWIW, avoiding needless solicitation of DNSSEC RRSIG
and NSEC records is more efficient.

-- 
    Viktor.