On Thu, Apr 30, 2020 at 5:39 AM Vladimír Čunát <vladimir.cunat+i...@nic.cz> wrote:
> On 4/30/20 2:01 AM, Shumon Huque wrote: > > It definitely can't set the AD bit. So, I suppose your argument is why > > bother authenticating the target. That's a defensible question. [...] > > Certainly not defensible. The AD bit isn't the only part. What if the > CNAME target is spoofed (BOGUS) or something? Yeah, that's a good point, and I agree. The whole response can be spoofed anyway because the preceding CNAME is insecure. But as a general security principle, validators should validate everything they are able, in order to reduce the number of points in the system where spoofing can happen undetected. > Actually, I believe most > end-clients don't look at AD, so it's just the SERVFAILs that protect > them from using spoofed data. > In this discussion, I'd read the AD parts as a proxy for the validator's assessment of the security state of the response (from which the AD setting is derived). It's true that the majority of clients don't look at AD, but there are notable exceptions - quite a few DANE SMTP client implementations do I believe. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
