On Sun, Aug 22, 2010 at 09:57:27PM +0200, Mans Nilsson wrote:
Subject: Re: DNSSEC and SSL Date: Sun, Aug 22, 2010 at 09:11:43AM -0400 Quoting ML (ml@kenweb.org):
On 8/22/2010 2:38 AM, Mikael Abrahamsson wrote:
No, because DNSSEC isn't secured all the way from the DNS server to the application, only to the resolver. Both systems have problems, I'd imagine the best security is when they work together.
Is a DNSSEC capable stub resolver not in the cards?
The best option today is to run a full-service resolver on the host; which is a tad heavy for most desktops, not to speak about the cache misses that would cause root server system load. The latter of course can be avoided by setting forwarders.
that assertion is unverified. i suspect that cache misses would not overload the system as it currently stands. (modulo a ramp up of DNSSEC capable stubs/full service IMRs).
OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND suite. Calling it from applications does however mean using new API calls; since the traditional resolver API is oblivious to DNSSEC.
perhaps a review of lwresd/unbound would be worth a gander. --bill
-- Mens Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 What PROGRAM are they watching?