cloud-init team mailing list archive

[Daniel Watkins <daniel.watkins@xxxxxxxxxxxxx>]

Hi Florian,

Thanks for your email!

On Fri, Apr 17, 2020 at 07:27:53PM +0200, Florian Weimer wrote:
> glibc 2.31 has support for recognizing that the name servers listed in
> /etc/resolv.conf are reached over a trusted network path and implement
> DNSSEC correctly (but do not necessarily perform validation):
> 
> * The DNS stub resolver will optionally send the AD (authenticated data) bit
>   in queries if the trust-ad option is set via the options directive in
>   /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options).  In this
>   mode, the AD bit, as provided by the name server, is available to
>   applications which call res_search and related functions.  In the default
>   mode, the AD bit is not set in queries, and it is automatically cleared in
>   responses, indicating a lack of DNSSEC validation.  (Therefore, the name
>   servers and the network path to them are treated as untrusted.)
> 
> I think cloud-init needs a way to propagate this information the
> instance data injection.

I don't think I fully understand what "this information" is in this
sentence.  Could you expand a little on what you mean here?

> It may make sense to set trust-ad by default for certain injection
> methods, but I am not sure.  In order to get the desired AD bit
> semantics, two things are required:
> 
>   * When sending and receiving packets to the addresses indicated in
>     /etc/resolv.conf, the communication must happen with the DNS
>     resolver on these IP addresses.

I'm not 100% sure I understand this requirement, could you perhaps
reword it?

> Thoughts?

cloud-init has a module for configuring /etc/resolv.conf,
cc_resolv_conf[0].  It has generic support for passing in "options", so
I don't believe any specific work would be required for users to specify
DNSSEC-related options.


Cheers,

Dan


[0] https://cloudinit.readthedocs.io/en/latest/topics/modules.html#resolv-conf

Attachment: signature.asc
Description: PGP signature