From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: (qmail 1638 invoked from network); 13 Apr 2020 18:35:37 -0000 Received-SPF: pass (mother.openwall.net: domain of lists.openwall.com designates 195.42.179.200 as permitted sender) receiver=inbox.vuxu.org; client-ip=195.42.179.200 envelope-from= Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with UTF8ESMTPZ; 13 Apr 2020 18:35:37 -0000 Received: (qmail 5545 invoked by uid 550); 13 Apr 2020 18:35:34 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 5506 invoked from network); 13 Apr 2020 18:35:34 -0000 Date: Mon, 13 Apr 2020 14:35:22 -0400 From: Rich Felker To: Postfix users Cc: musl@lists.openwall.com Message-ID: <20200413183522.GX11469@brightrain.aerifal.cx> References: <20200412211807.GC41308@straasha.imrryr.org> <20200413024746.GD41308@straasha.imrryr.org> <6E8A9D4F-18CE-4ADA-A5B4-D14DB30C99E5@dukhovni.org> <25e70f31f0c4629f7a7d3957649d08be06144067.camel@web.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Subject: [musl] Re: Outgoing DANE not working On Mon, Apr 13, 2020 at 02:15:14PM -0400, Viktor Dukhovni wrote: > > On Apr 13, 2020, at 7:18 AM, Christian wrote: > > > > FYI: I put your findings forward to the musl-libc mailing list and > > asked what they now think what should be done. > > The problem can be partly resolved by setting the "AD" bit in the > outgoing DNS query header sent by the musl-libc stub resolver. Then > the local iterative resolver will return the AD bit in its response. > > However, lack of support for retrying truncated responses over TCP > or support for disabling RES_DEFNAMES and RES_DNSRCH remain as issues. This has also been discussed some on the musl list already (https://www.openwall.com/lists/musl/2020/04/13/1) but I'm replying into this thread as well because I'd like to come to some mutually acceptable solution. musl's stub resolver intentionally speaks only rfc1035 udp, and the intent has always been that DNSSEC validation and policy be the responsibility of the nameserver running on localhost, not the stub resolver or the calling application. The resolver is intentionally stateless. It was probably a mistake to provide the fake _res definition, and I'm interested in resolving that mistake either by removing it or adding res_n* API that honor (parts of) it at some point, but determining the right action here and coordinating with distros to ensure they have fixes in place for anything that breaks will take a while. RES_DEFNAMES and RES_DNSRCH are irrelevant as search is never performed by the res_* interfaces, and domain/search keywords are used only by the high-level ones (getaddrinfo/getnameinfo and the old legacy gethostby*). What is relevant, as far as I can tell, is that Postfix wants a way to perform an EDNS0 query that lets it distinguish between a valid signed result and a valid unsigned result. This is currently not possible, but would be practical to add based on "options edns0" in resolv.conf. I'm not sure if or how soon that will happen, but determining that is something I'd like to have come out of this discussion. >From my perspective, what would work best with what's always been the intended DNSSEC usage model of musl would be if Postfix supported use of DANE with smtp_dns_support_level=enabled, i.e. outsourcing all DNSSEC functionality to the nameserver. Rich