hat tip to .gov hostmasters

David Conrad drc at virtualized.org
Mon Sep 22 12:05:42 CDT 2008

On Sep 22, 2008, at 7:56 AM, Florian Weimer wrote:
>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?

Yes, and you also need the trust anchors for the zones you want to  
validate configured.

> Correct, you need a validating, security-aware stub resolver, or the
> ISP needs to validate the records for you.

Slight clarification: you need a validating, security-aware resolver,  
whether that resolver is local (e.g., running on the same machine  
issuing the DNS queries) or remote (e.g., your ISP's resolver).  Note  
that, for good or ill, you are trusting the operator of the resolver  
and the communication channel between the resolver and the application  
making the DNS requests.

A validating, security-aware _stub_ resolver, typically linked into  
the program issuing the DNS requests and thus would be the ultimate in  
'local', would have the ability to validate the response and supply  
feedback to the application with minimum vulnerability to MITM  
attacks.  The downside is the added complexity of the code to the  
validation and to handle validation failures.


More information about the NANOG mailing list