From: Rich Felker <dalias@libc.org>
To: Postfix users <postfix-users@postfix.org>
Cc: musl@lists.openwall.com
Subject: [musl] Re: Outgoing DANE not working
Date: Tue, 19 May 2020 16:08:32 -0400 [thread overview]
Message-ID: <20200519200831.GF1079@brightrain.aerifal.cx> (raw)
In-Reply-To: <49RN803wcfzJrNv@spike.porcupine.org>
On Tue, May 19, 2020 at 01:25:52PM -0400, Wietse Venema wrote:
> Rich Felker:
> > On Tue, May 19, 2020 at 11:11:56AM -0400, Wietse Venema wrote:
> > > Rich Felker:
> > > > On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> > > > > Rich Felker:
> > > > > > The is fundamentally no build-time test possible for this. Even if we
> > > > > > were willing to make flags for each bug (or missing feature) that was
> > > > > > ever fixed indicating the change, that would only tell you whether the
> > > > > > version present at build time had the property, not whether the
> > > > > > version present at runtime does. With a distro, unless the distro
> > > > >
> > > > > If you can provide a libc-musl runtime __version variable, then
> > > > > Postfix can at run time determine that the library supports the
> > > > > necessary functionality, and enable/disable DANE accordingly.
> > > >
> > > > We've been over this countless times from folks requesting version
> > > > numbers. A version number does not tell you what you want to know.
> > > > Distros will patch the functionality into whatever version they're
> > > > shipping. A 1.1.25 (if it ever happens) will likely have the patch
> > > > backported (just applied; no conflict). Querying features has to be
> > > > done on a per-feature basis not based on version numbers. See the
> > > > proposal on libc-coord.
> > >
> > > Do let us know when libc-musl provides an indication whether a DNS
> > > lookup result is authentic (DNSSEC pass).
> >
> > It is now in master. I've also recommended the patch to Alpine.
>
> A pointer to how one would use the updated code would be welcome,
> perhaps a pointer to the submit message.
https://git.musl-libc.org/cgit/musl/commit/?id=fd7ec068efd590c0393a612599a4fab9bb0a8633
> I won't comment on distro maintainers who willingly break Postfix's
> security guarantees of DANE, without informing the user.
I'm not encouraging any to do that; rather I've encouraged them to
take measures to both:
(1) ensure that DANE is not silently ignored, by either patching
Postfix to work with old musl (prior to the above commit) or patching
the musl package and adding a dependency from the postfix package on
the updated musl package, and:
(2) not ship Postfix packages with DNSSEC/DANE disabled, because that
would encourage admins to switch DANE off in their config files to
"fix the breakage" after upgrading, then forget to turn it back on
once updated packages are available to make it work.
I haven't been through this with other distros yet, but Alpine folks
were committed to both of these principles.
Rich
next parent reply other threads:[~2020-05-19 20:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200519154542.GC1079@brightrain.aerifal.cx>
[not found] ` <49RN803wcfzJrNv@spike.porcupine.org>
2020-05-19 20:08 ` Rich Felker [this message]
[not found] <fce05ab0ed102dec10e4163dd4ce5d8095d2ffd7.camel@web.de>
[not found] ` <20200412211807.GC41308@straasha.imrryr.org>
[not found] ` <d64b1b8801cc5350e9d27dd109dd2446e7d4b860.camel@web.de>
[not found] ` <20200413024746.GD41308@straasha.imrryr.org>
[not found] ` <b38668e94b2781003a14c6dca3d41edf33e347e2.camel@web.de>
[not found] ` <A2FE67B5-A9A9-4A0F-A59D-78FF2AB992B7@dukhovni.org>
[not found] ` <f79a9f0c369607fc38bef06fec521eaf3ab23d8c.camel@web.de>
[not found] ` <6E8A9D4F-18CE-4ADA-A5B4-D14DB30C99E5@dukhovni.org>
[not found] ` <25e70f31f0c4629f7a7d3957649d08be06144067.camel@web.de>
[not found] ` <CECAFB36-DA1B-4EFB-ACD1-294E3B121B2E@dukhovni.org>
2020-04-13 18:35 ` Rich Felker
[not found] ` <20200413190412.GF41308@straasha.imrryr.org>
[not found] ` <20200413193505.GY11469@brightrain.aerifal.cx>
[not found] ` <20200413214138.GG41308@straasha.imrryr.org>
[not found] ` <20200414035303.GZ11469@brightrain.aerifal.cx>
[not found] ` <87v9m0hdjk.fsf@mid.deneb.enyo.de>
[not found] ` <20200415180149.GH11469@brightrain.aerifal.cx>
[not found] ` <87imi0haf7.fsf@mid.deneb.enyo.de>
[not found] ` <20200417034059.GF11469@brightrain.aerifal.cx>
[not found] ` <878siucvqd.fsf@mid.deneb.enyo.de>
2020-04-17 16:07 ` Rich Felker
[not found] ` <20200414061620.GI41308@straasha.imrryr.org>
[not found] ` <20200414160641.GC11469@brightrain.aerifal.cx>
[not found] ` <20200414215951.GJ41308@straasha.imrryr.org>
2020-05-19 1:37 ` Rich Felker
[not found] ` <20200519023814.GN68966@straasha.imrryr.org>
2020-05-19 5:44 ` Rich Felker
[not found] ` <20200519090610.GO68966@straasha.imrryr.org>
2020-05-19 14:00 ` Rich Felker
2020-05-19 14:23 ` Wietse Venema
2020-05-19 14:28 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519200831.GF1079@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
--cc=postfix-users@postfix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).