[129001] in North American Network Operators' Group
Re: DNSSEC and SSL
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Sun Aug 22 17:39:17 2010
Date: Sun, 22 Aug 2010 21:38:28 +0000
From: bmanning@vacation.karoshi.com
To: Mans Nilsson <mansaxel@besserwisser.org>
In-Reply-To: <20100822195727.GA26860@besserwisser.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Aug 22, 2010 at 09:57:27PM +0200, Mans Nilsson wrote:
> Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (ml@kenweb.org):
> > On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:
> > > No, because DNSSEC isn't secured all the way from the DNS server to the
> > > application, only to the resolver. Both systems have problems, I'd
> > > imagine the best security is when they work together.
> > >
> >
> > Is a DNSSEC capable stub resolver not in the cards?
>
> The best option today is to run a full-service resolver on the host;
> which is a tad heavy for most desktops, not to speak about the cache
> misses that would cause root server system load. The latter of course
> can be avoided by setting forwarders.
that assertion is unverified. i suspect that cache misses
would not overload the system as it currently stands. (modulo
a ramp up of DNSSEC capable stubs/full service IMRs).
> OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
> suite. Calling it from applications does however mean using new API
> calls; since the traditional resolver API is oblivious to DNSSEC.
perhaps a review of lwresd/unbound would be worth a
gander.
--bill
>
> --
> Mens Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE +46 705 989668
> What PROGRAM are they watching?
