nanog mailing list archives
Re: DNSSEC and SSL
From: Mans Nilsson <mansaxel () besserwisser org>
Date: Sun, 22 Aug 2010 21:57:27 +0200
Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (ml () kenweb org):
On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:No, because DNSSEC isn't secured all the way from the DNS server to the application, only to the resolver. Both systems have problems, I'd imagine the best security is when they work together.Is a DNSSEC capable stub resolver not in the cards?
The best option today is to run a full-service resolver on the host; which is a tad heavy for most desktops, not to speak about the cache misses that would cause root server system load. The latter of course can be avoided by setting forwarders. OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND suite. Calling it from applications does however mean using new API calls; since the traditional resolver API is oblivious to DNSSEC. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What PROGRAM are they watching?
Attachment:
_bin
Description:
Current thread:
- DNSSEC and SSL ML (Aug 21)
- Re: DNSSEC and SSL Gary Buhrmaster (Aug 21)
- Re: DNSSEC and SSL Mikael Abrahamsson (Aug 21)
- Re: DNSSEC and SSL ML (Aug 22)
- Re: DNSSEC and SSL Mans Nilsson (Aug 22)
- Re: DNSSEC and SSL bmanning (Aug 22)
- Re: DNSSEC and SSL Wes Hardaker (Aug 23)
- Re: DNSSEC and SSL Tony Finch (Aug 23)
- Re: DNSSEC and SSL Curtis Maurand (Aug 23)
- Re: DNSSEC and SSL Doug Barton (Aug 23)
- Re: DNSSEC and SSL ML (Aug 22)
- Re: DNSSEC and SSL bmanning (Aug 22)
- Re: DNSSEC and SSL Tony Finch (Aug 23)
- Re: DNSSEC and SSL Jakob Schlyter (Aug 23)