[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

hat tip to .gov hostmasters

Subject: hat tip to .gov hostmasters
From: drc at virtualized.org (David Conrad)
Date: Mon, 22 Sep 2008 10:05:42 -0700
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

On Sep 22, 2008, at 7:56 AM, Florian Weimer wrote:
>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?

Yes, and you also need the trust anchors for the zones you want to  
validate configured.

> Correct, you need a validating, security-aware stub resolver, or the
> ISP needs to validate the records for you.

Slight clarification: you need a validating, security-aware resolver,  
whether that resolver is local (e.g., running on the same machine  
issuing the DNS queries) or remote (e.g., your ISP's resolver).  Note  
that, for good or ill, you are trusting the operator of the resolver  
and the communication channel between the resolver and the application  
making the DNS requests.

A validating, security-aware _stub_ resolver, typically linked into  
the program issuing the DNS requests and thus would be the ultimate in  
'local', would have the ability to validate the response and supply  
feedback to the application with minimum vulnerability to MITM  
attacks.  The downside is the added complexity of the code to the  
validation and to handle validation failures.

Regards,
-drc

References:
- hat tip to .gov hostmasters
  - From: darkuncle at gmail.com (Scott Francis)
- hat tip to .gov hostmasters
  - From: xenophage0 at gmail.com (Jason Frisvold)
- hat tip to .gov hostmasters
  - From: fweimer at bfk.de (Florian Weimer)

Prev by Date: hat tip to .gov hostmasters
Next by Date: hat tip to .gov hostmasters
Previous by thread: hat tip to .gov hostmasters
Next by thread: hat tip to .gov hostmasters
Index(es):
- Date
- Thread