nanog mailing list archives
Re: hat tip to .gov hostmasters
From: David Conrad <drc () virtualized org>
Date: Mon, 22 Sep 2008 10:05:42 -0700
On Sep 22, 2008, at 7:56 AM, Florian Weimer wrote:
I'm not much up on DNSSEC, but don't you need to be using a resolver that recognizes DNSSEC in order for this to be useful?
Yes, and you also need the trust anchors for the zones you want to validate configured.
Correct, you need a validating, security-aware stub resolver, or the ISP needs to validate the records for you.
Slight clarification: you need a validating, security-aware resolver, whether that resolver is local (e.g., running on the same machine issuing the DNS queries) or remote (e.g., your ISP's resolver). Note that, for good or ill, you are trusting the operator of the resolver and the communication channel between the resolver and the application making the DNS requests.
A validating, security-aware _stub_ resolver, typically linked into the program issuing the DNS requests and thus would be the ultimate in 'local', would have the ability to validate the response and supply feedback to the application with minimum vulnerability to MITM attacks. The downside is the added complexity of the code to the validation and to handle validation failures.
Regards, -drc
Current thread:
- Re: hat tip to .gov hostmasters, (continued)
- Re: hat tip to .gov hostmasters Mark Andrews (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters Florian Weimer (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters Scott Francis (Sep 22)
- RE: hat tip to .gov hostmasters Keith Medcalf (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters bmanning (Sep 22)
- Re: hat tip to .gov hostmasters David Conrad (Sep 22)
- Re: hat tip to .gov hostmasters David Conrad (Sep 22)
- Re: hat tip to .gov hostmasters Chris Owen (Sep 22)
- Re: hat tip to .gov hostmasters Simon Vallet (Sep 22)
- Re: hat tip to .gov hostmasters Jason Frisvold (Sep 22)
- Re: hat tip to .gov hostmasters Michael Thomas (Sep 22)
- Re: hat tip to .gov hostmasters Scott Francis (Sep 22)