[128996] in North American Network Operators' Group
Re: DNSSEC and SSL
daemon@ATHENA.MIT.EDU (Mans Nilsson)
Sun Aug 22 15:57:39 2010
Date: Sun, 22 Aug 2010 21:57:27 +0200
From: Mans Nilsson <mansaxel@besserwisser.org>
To: ML <ml@kenweb.org>
In-Reply-To: <4C71220F.6040806@kenweb.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quo=
ting ML (ml@kenweb.org):
> On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:
> > No, because DNSSEC isn't secured all the way from the DNS server to the
> > application, only to the resolver. Both systems have problems, I'd
> > imagine the best security is when they work together.
> >=20
>=20
> Is a DNSSEC capable stub resolver not in the cards?
The best option today is to run a full-service resolver on the host;
which is a tad heavy for most desktops, not to speak about the cache
misses that would cause root server system load. The latter of course
can be avoided by setting forwarders.
OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
suite. Calling it from applications does however mean using new API
calls; since the traditional resolver API is oblivious to DNSSEC.
--=20
M=C3=A5ns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
What PROGRAM are they watching?
--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (SunOS)
iEYEARECAAYFAkxxgSYACgkQ02/pMZDM1cXS3gCgp4TGqEh1YPW1CEeDLOmrOtFP
V8cAn0M/dLzvm++fTLilnKfVu99YYPUK
=xLLZ
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtfppv--
