nanog mailing list archives

Re: DNSSEC and SSL


From: bmanning () vacation karoshi com
Date: Sun, 22 Aug 2010 21:38:28 +0000

On Sun, Aug 22, 2010 at 09:57:27PM +0200, Mans Nilsson wrote:
Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (ml () kenweb org):
On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:
No, because DNSSEC isn't secured all the way from the DNS server to the
application, only to the resolver. Both systems have problems, I'd
imagine the best security is when they work together.


Is a DNSSEC capable stub resolver not in the cards?

The best option today is to run a full-service resolver on the host;
which is a tad heavy for most desktops, not to speak about the cache
misses that would cause root server system load. The latter of course
can be avoided by setting forwarders.

        that assertion is unverified. i suspect that cache misses
        would not overload the system as it currently stands. (modulo
        a ramp up of DNSSEC capable stubs/full service IMRs).

OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
suite. Calling it from applications does however mean using new API
calls; since the traditional resolver API is oblivious to DNSSEC.

        perhaps a review of lwresd/unbound would be worth a
        gander.

--bill


-- 
Mens Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
What PROGRAM are they watching?




Current thread: