nanog mailing list archives

Re: DNSSEC and SSL

From: Mans Nilsson <mansaxel () besserwisser org>
Date: Sun, 22 Aug 2010 21:57:27 +0200

Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (ml () kenweb org):

On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:

No, because DNSSEC isn't secured all the way from the DNS server to the
application, only to the resolver. Both systems have problems, I'd
imagine the best security is when they work together.


Is a DNSSEC capable stub resolver not in the cards?


The best option today is to run a full-service resolver on the host;
which is a tad heavy for most desktops, not to speak about the cache
misses that would cause root server system load. The latter of course
can be avoided by setting forwarders.

OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
suite. Calling it from applications does however mean using new API
calls; since the traditional resolver API is oblivious to DNSSEC.

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
What PROGRAM are they watching?

Attachment: _bin
Description:

Current thread:

DNSSEC and SSL ML (Aug 21)
- Re: DNSSEC and SSL Gary Buhrmaster (Aug 21)
- Re: DNSSEC and SSL Mikael Abrahamsson (Aug 21)
  - Re: DNSSEC and SSL ML (Aug 22)
    - Re: DNSSEC and SSL Mans Nilsson (Aug 22)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Wes Hardaker (Aug 23)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Curtis Maurand (Aug 23)
    - Re: DNSSEC and SSL Doug Barton (Aug 23)
    - Re: DNSSEC and SSL bmanning (Aug 22)
    - Re: DNSSEC and SSL Tony Finch (Aug 23)
    - Re: DNSSEC and SSL Jakob Schlyter (Aug 23)
- Re: DNSSEC and SSL Jakob Schlyter (Aug 22)
- Re: DNSSEC and SSL Rubens Kuhl (Aug 23)

(Thread continues...)