Mans Nilsson mansaxel at besserwisser.org
Sun Aug 22 19:57:27 UTC 2010

Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (ml at kenweb.org):
> On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:
> > No, because DNSSEC isn't secured all the way from the DNS server to the
> > application, only to the resolver. Both systems have problems, I'd
> > imagine the best security is when they work together.
> > 
> Is a DNSSEC capable stub resolver not in the cards?

The best option today is to run a full-service resolver on the host;
which is a tad heavy for most desktops, not to speak about the cache
misses that would cause root server system load. The latter of course
can be avoided by setting forwarders.

OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
suite. Calling it from applications does however mean using new API
calls; since the traditional resolver API is oblivious to DNSSEC.

Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
What PROGRAM are they watching?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100822/91f91c1c/attachment.sig>

More information about the NANOG mailing list