hat tip to .gov hostmasters
drc at virtualized.org
Mon Sep 22 12:05:42 CDT 2008
On Sep 22, 2008, at 7:56 AM, Florian Weimer wrote:
>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?
Yes, and you also need the trust anchors for the zones you want to
> Correct, you need a validating, security-aware stub resolver, or the
> ISP needs to validate the records for you.
Slight clarification: you need a validating, security-aware resolver,
whether that resolver is local (e.g., running on the same machine
issuing the DNS queries) or remote (e.g., your ISP's resolver). Note
that, for good or ill, you are trusting the operator of the resolver
and the communication channel between the resolver and the application
making the DNS requests.
A validating, security-aware _stub_ resolver, typically linked into
the program issuing the DNS requests and thus would be the ultimate in
'local', would have the ability to validate the response and supply
feedback to the application with minimum vulnerability to MITM
attacks. The downside is the added complexity of the code to the
validation and to handle validation failures.
More information about the NANOG