|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: hat tip to .gov hostmasters
On Sep 22, 2008, at 7:56 AM, Florian Weimer wrote: I'm not much up on DNSSEC, but don't you need to be using a resolver that recognizes DNSSEC in order for this to be useful? Yes, and you also need the trust anchors for the zones you want to validate configured. Correct, you need a validating, security-aware stub resolver, or the ISP needs to validate the records for you. Slight clarification: you need a validating, security-aware resolver, whether that resolver is local (e.g., running on the same machine issuing the DNS queries) or remote (e.g., your ISP's resolver). Note that, for good or ill, you are trusting the operator of the resolver and the communication channel between the resolver and the application making the DNS requests. A validating, security-aware _stub_ resolver, typically linked into the program issuing the DNS requests and thus would be the ultimate in 'local', would have the ability to validate the response and supply feedback to the application with minimum vulnerability to MITM attacks. The downside is the added complexity of the code to the validation and to handle validation failures. Regards, -drc
|